K
Q

Cert manager fail into kubernetes cluster using gitlab autodevops

3/18/2019

I'm using a kubernetes cluster GCP with gitlab autodevops. Pipeline is running, help triller, ingress and cert-manager area installed.

I already have a domain "xpto.com.br" that already have a ssl cert for all sub domains, but it's configured into iis applications, so i can't use this cert in my gcp apps. So i am using lets encrypt with cert manager to generate certs into k8s cluster.

Everything are setup, but my applications is not responsing using https. The web browser shows "backend 404" if i try to force "https" to execute apps.

After some tries, i decided remove cert-manager from cluster to try setup again. But gitlab doesn't enable option to install cert manager again as below imagem show:

enter image description here

-- Rodrigo Celebrone
gitlab
kubernetes
ssl

Similar Questions

Reserve static IP address for k8s external service
How to get RabbitMQ metrics for horizontal pod autoscaling?
what is the use of external IP address with a ClusterIP service type in kubernetes
Set retention policy for Pods created by Kubernetes CronJob

1 Answer

3/18/2019

GitLab doesn't provide an uninstall option, so you will either have to manually re-install cert-manager in the gitlab-managed-apps or re-attach your cluster to your GitLab project. If you want to manually do that, run:

helm install \
    --name cert-manager \
    --namespace gitlab-managed-apps \
    stable/cert-manager

That only takes care of the cert-manager part. Another thing to note is that cert-manager doesn't miraculously recognize your need for a certificate and create one. You will need to create required resources such as an ingress, clusterIssuer and a certificate resource. Also one thing to note is that you can use a single tls wildcard certificate for all of your sub-domains. Do not generate redundant certificates, it will take a toll on your quota. Try with the following simple template (eg assuming you are using route53 for your dns provider):

issuer.yaml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: <your email>
    privateKeySecretRef:
      name: letsencrypt-staging
    dns01:
      providers:
      - name: route53
        route53:
          region: us-east-1
          accessKeyID: <access key id>
          secretAccessKeySecretRef:
            name: <secret name>
            key: secret-access-key

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: <ingress name>
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
  tls:
  - hosts:
    - "*.example.com"
    secretName: cert-wildcard-secret
  rules:
  - host: "sub.example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: <service name>
          servicePort: <port number>

certificate.yaml

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-wildcard
spec:
  secretName: cert-wildcard-secret
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  dnsNames:
  - '*.example.com'
  acme:
    config:
    - dns01:
        provider: route53
      domains:
      - '*.example.com'

Once you have verified that this works (with the FAKE staging certificates) change the URL in your issuer to https://acme-v02.api.letsencrypt.org/directory so that you can create legitimate certificates. Once you've made the change, delete the old FAKE cert secret so the new one can replace it.

-- cookiedough
Source: StackOverflow