How to change the default certificate chain in Kubernetes Ingress
Solution 1:
If you are using cert-manager, optional control of the intermediate certificate isn't available yet.
That doesn't stop you from issuing your own certificate with certbot which has added support to select the chain and installing that on the ingress.
certbot ... --preferred-chain "ISRG Root X1"
Any unknown value for preferred-chain
will give you the default chain.
Solution 2:
Perhaps a spot late, but this is supported now. You can configure your issuer like this:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
See this page for more