K
Q

Kubernetes Let's Encrypt Certificate Not Issuing

1/8/2020

I've done all required configurations as below to get certificate from letsencrypt in kubernetes, however I cannot see any certificate issued.

  • Nginx-ingress install using helm

helm install my-nginx-ingress stable/nginx-ingress --set controller.publishService.enabled=true

  • Cert-manager installation
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm install my-cert-manager --namespace spinnaker jetstack/cert-manager --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer
  • ClusterIssuer
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: test@test.test
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
  • Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: spinnaker-ingress
  namespace: spinnaker
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - SpinnakerApiDomain
    - SpinnakerDeckDomain
    secretName: spinnaker
  rules:
  - host: SpinnakerApiDomain
    http:
      paths:
      - backend:
          serviceName: spin-gate
          servicePort: 8084
  - host: SpinnakerDeckDomain
    http:
      paths:
      - backend:
          serviceName: spin-deck
          servicePort: 9000

I'm following these document:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-on-digitalocean-kubernetes-using-helm

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-cd-pipeline-with-spinnaker-on-digitalocean-kubernetes

I've gone through other URLs as well which has same steps but when I do kubectl get certificates --all-namespaces I cannot see any certificate issued.

Basically I'm configuring Spinnaker behind HTTPS.

Please advise. Thanks.

-- Jaydeep Soni
kubernetes
kubernetes-ingress
lets-encrypt
nginx-ingress
spinnaker

Similar Questions

Is it a good practice (feasible) to combine both nodeAfinity and podAffinity rules when assigning Pods to Nodes on kubernetes
K8s pod priority & outOfPods
Can't run a MySQL slave instance on GKE
Replicaset doesnot update pods in when pod image is modified
Azure kubernetes and Azure API management : Azure AD authentication?
getting error while creating kubernetes deployment

1 Answer

1/9/2020

When you want to use your own self-signed certificate for Ingress, you have to create TLS secret.

First you have to generate self-signed certificate and private key, for example:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -subj "/CN=${HOST}/O=${HOST}"

It will prompt you for few things, like Country Name or State but you can just hit Enter to accept defaults.

Then create your tls secret:

kubectl create secret tls <secret_name> --key key.pem --cert cert.pem

Then you can use it in your Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: spinnaker-ingress
  namespace: spinnaker
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - SpinnakerApiDomain
    - SpinnakerDeckDomain
    secretName: <secret_name>
  rules:
  - host: SpinnakerApiDomain
    http:
      paths:
      - backend:
          serviceName: spin-gate
          servicePort: 8084
  - host: SpinnakerDeckDomain
    http:
      paths:
      - backend:
          serviceName: spin-deck
          servicePort: 9000
-- KFC_
Source: StackOverflow