Kubernetes: Nginx Ingress Annotation ----> ngin

Issue: I am trying to reach a vault cluster which is hosted on my k8's cluster using ingress.Currently using nginx ingress controller 0.10.2 version.

I am using custom generated TLS certs with Ingress which is pointing to the Vault cluster.I have the TLS certs in the same namespace as ingress.

Problem: Unable to reach the backend by providing the vault status command with the ca.crt for ingress.

Env variables set are

        VAULT_ADDR=https://vault.ingress.staging.k8s.com
        VAULT_SKIP_VERIFY=true

Unable to get the status i.e the traffic is being stopped at the ingress itself. When I check the logs for the ingress controller it says

7 backend_ssl.go:146] unexpected error generating SSL certificate with full intermediate chain CA certs: Invalid certificate.

I have generated the custom TLS certs matching the Common Name of the Ingress resource. So unable to figure out why is this happening. Thought might be due to the wrong ingress annotations usage.

My question is there anything going wrong with ingress.kubernetes.io/secure-backends: 'true', if yes can you provide info about how to use it?

Notes:

I am using the appropriate ingress class and know that there is no problem with that, for sure.
I have deployed few examples to check, if there is any problem with ingress. Even that is working fine.

* Can anyone provide a working example for nginx.ingress.kubernetes.io/secure-backends *

Any solution related to this issue would be appreciated!!!

Ingress.yaml

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: vault
  namespace: default
  annotations:
    ingress.kubernetes.io/secure-backends: 'true'
    kubernetes.io/ingress.class: "k8s"
spec:
  tls:
    - hosts:
        - vault.ingress.staging.k8s.com
      secretName: vault-server-ingress-tls
  rules:
    - host: vault.ingress.staging.k8s.com
      http:
        paths:
          - path: /
            backend:
              serviceName: example
              servicePort: 8200

You could try with:

kubernetes.io/ingress.class: "<your_class>"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"

Please keep in mind, that ssl-passthrough requires that additional command-line parameter has to be added to nginx-ingress-controller deployment (which is disabled by default):