K
Q

Ingress TLS routes with cert-manager not applied

9/10/2019

I have a K8s cluster (v1.12.8-gke.10) in GKE and have a nginx ingress with hosts rules. I am trying to enable TLS using cert-manager for ingress routes. I am using a selfsign cluster issuer. But, when I access the site over HTTPS, I am still getting the default K8s certificate. (The certificate is only valid for the following names: kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: test
  name: test
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /
    certmanager.k8s.io/cluster-issuer: selfsign
spec:
  tls:
    - secretName: test
      hosts:
        - test.example.com
  rules:
    - host: test.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: test
              servicePort: 80

I have checked the following and is working fine:

  1. A cluster issuer named "selfsign"
  2. A valid self-signed certificate backed by a secret "test"
  3. A healthy and running nginx ingress deployment
  4. A healthy and running ingress service of type load-balancer
-- Param
cert-manager
google-kubernetes-engine
kubernetes
nginx-ingress
ssl

Similar Questions

Synchronizing deploys to separate servers for full-stack applications
Is there any way to turn off eviction in kubelet?
How to manage multiple kubernetes clusters via Terraform?
Smooth load rebalancing for Kubernetes HPA
unknown flag: --export while copying secret from one namespace to another kubectl
How to distribute a file across presto cluster in kuebernetes
How to upgrade postgresql inside a Kubernetes pod?
gRPC keepalive not working on alibaba ACK
Attach new azure disk volume per pod in Kubernetes deployment

2 Answers

9/12/2019

I've followed the tutorial from Digital Ocean and was able to enable TLS using cert-manager for ingress routes using Helm, Tiller, Letsencrypt and Nginx Ingress controller in GKE.

Instead of host test-example.com, I used my own domain name and spun up dummy backend services (echo1 and echo2) for testing purposes.

After followed the tutorial and to verify that HTTPS is working correctly, try to curl the host:

$ curl test.example.com

you should see a 308 http response (Permanent Redirect). This indicates that HTTP requests are being redirected to use HTTPS.

On the other hand, try running curl on:

$ curl https://test.example.com

Should show you the site response.

You can run the previous commands with the verbose -v flag to check into the certificate handshake and to verify the certificate information.

-- Sandro G
Source: StackOverflow
9/10/2019

I think it's issue of clusterissuer

Just have a look at my cluster issuer and check

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: it-support@something.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: prod
    # Enable the HTTP-01 challenge provider
    http01: {}

Check for the right url to get production-grade certificates:

server: https://acme-v02.api.letsencrypt.org/directory

If your server url is something like this :

server: https://acme-staging-v02.api.letsencrypt.org/directory

which means you are applying for the staging certificate which may occur the error.

-- Harsh Manvar
Source: StackOverflow