K
Q

cert-manager on kubernetes without hairpin nat

11/8/2019

I have a bare metal kubernetes deployment running on vmware vcloud director and I am struggling to setup cert-manager to manage ssl certificates. As described in following issue, "Challenge" always fails with self-check to cluster's domain name/Public IP because of it is not accessible from inside of cluster (vmware vcloud director doesn't support hairpin nat which is routing traffic from internal server back to internal server using edge gateways public IP).

https://github.com/jetstack/cert-manager/issues/863

There is also a feature request to disable http01 and dns01 self-check but this is not implemented yet.

https://github.com/jetstack/cert-manager/issues/1292

My questin is "Is there a work-around solution to fix this self-check request?" I am also using node-port to open nginx-ingress service to outside. Therefore, I have to route www.domain.com:80 request from cert-manager pod to ingress-nginx pod 31080 port without leaving the kubernetes cluster.

enter image description here

Best Regard

-- savas
cert-manager
cloud
kubernetes
ssl
virtual-machine

Similar Questions

Bare metal Nginx controller with Services as Node port not working
Unable to debug java app through stack driver in google kubernetes cluster
why container object in pod yaml file has "list value" rather than a "map value"
parsing YAML file /etc/prometheus/prometheus.yml: yaml: line 20: mapping values are not allowed in this context"

1 Answer

11/8/2019

you can refer to this stackoverflow post for the same and note that you need not create the secret manually, the one which has been mentioned in secret, once you will map the host name to TLS in the ingress rule , upon validation of that acme challenge (without your interference) , you will get secure login.

I hope this turns up useful

-- Tushar Mahajan
Source: StackOverflow