What is correct way to use self-signed certs in ow install?

[paul42]

So far I've gotten ingress to work properly, creating a TLS secret in kubernetes and using that in the standard ingress, but how do I keep the wsk cli from having an issue with it? wsk property get shows my local info and then has this error at the end:

error: Unable to obtain API build information: Get "https://{working domain with tls}:30194/api/v1": x509: certificate signed by unknown authority

I know over in the wsk cli docs there is a section on client cert but they don't mention where or how to edit the openwhisk_client_ca_cert it doesn't appear to be a setting on wsk cli and searching the openwhisk codebase in github only reveals the documentation notes (searching this codebase in github reveals zero hits) is there an easy way to use my certificate that I generated before (using an internal CA) so I don't have to pass -i to the cli?

Thanks again, sorry for the deluge of questions!

[paul42]

I'm doing more testing, but @style95 was able to help me in the openwhisk slack - essentially you have to pass your Chained Cert which is the leaf cert and all the previous certs leading back to the CA to nginx

whisk:
  auth:
    guest: newlyGeneratedetc:etc
    system: newlyGeneratedetc:etc
  ingress:
    apiHostName: <Domain with cert>
    apiHostPort: 443
    apiHostProto: https
    type: Standard
    domain: <Domain with cert>
    annotations:
      kubernetes.io/ingress.class: nginx
    tls:
      secretname: ow-tls
      create: false
      enabled: true
invoker:
  kubernetes:
    replicaCount: 2
  containerFactory:
    impl: "kubernetes"
k8s:
  persistence:
    enabled: true
    hasDefaultStorageClass: false
    explicitStorageClass: openebs-hostpath
nginx:
  httpsNodePort: 31002
  certificate:
    external: true
    cert_file: ".crt that is same as domain and contains certs leading back to CA"
    key_file: ".key that is same as domain"

I'm still testing to see what the right helm values are, but I'm able to do a wsk action list without the cert warning

[hawtkey]

I'm no k8s/Helm pro but FWIW: the Helm Nginx template nginx-pod.yaml does a volumeMount of a TLS-secret named owdev-nginx containing a generated base64-encoded self-signed certificate/key that nginx uses at /etc/nginx/certs. I generated the base64 versions of my own chained-cert/decoded-key using IE: cat my-chained-cert.crt | base64 -w 0 and used the outputs to replace the generated cert/key in the owdev-nginx secret using IE: kubectl edit secret owdev-nginx --namespace openwhisk and the API works fine with no errors. here are some other methods for updating a secret.