So I have an EKS cluster with ingress-nginx running inside, the service of ingress-nginx-controller is associated with the External IP of Load balancer type Network (say 123.elb.my-region.amazonaws.com).
The LB has a listener configured for port 443 and this listener has an SSL certificate in Secure listener settings. The used cert is a wildcard one matching *.foo.bar.com
Now I have a service in EKS which should be available under another subdomain, I've created a certificate as a k8s secret and declared its usage in ingress manifest for new service, like:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: foo
name: new-service-ingress
spec:
ingressClassName: nginx
tls:
- hosts:
- new-service.new-foo.bar.com
secretName: wildcard-new-foo-bar-com
rules:
- host: new-service.new-foo.bar.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: new-service
port: 80
With all this, I can still see that the certificate from LB Secure listener settings in AWS is served. Is there a way to make the ingress-nginx ignore it and serve the one from k8s manifest -> from secret wildcard-new-foo-bar-com?
I can confirm this in browser and by
$ curl -k new-service.new-foo.bar.com
> curl: (60) SSL: no alternative certificate subject name matches target host name