K
Q

Kubernetes - CertificateNotFound for Ingress controller

11/28/2020

It seems like the imported certificate is not visible. The import status shows that is issued...

If I run command aws acm list-certificates it is empty, but if I include options according to this answer --include keyTypes=RSA_2048,RSA_4096 then I can see the certificate. 

user@osboxes:~/test$ aws acm list-certificates
{
    "CertificateSummaryList": []
}
user@osboxes:~/test$ aws acm list-certificates --include keyTypes=RSA_2048,RSA_4096
{
    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:ap-south-1:131584844995:certificate/8f5dfe1b-c9f3-4290-af32-28def42a98d0",
            "DomainName": "test.tk"
        }
    ]
}

enter image description here

The RBAC permissions are correct. So maybe we need to specify RSA_4096 as options somewhere so the certificate is visible...but I don't know if we can do that with kubernetes.

This is the error I get:

I1128 05:23:25.730617       1 listener.go:110] default/ingress-usermgmt-restapp-service: creating listener 443
E1128 05:23:25.821013       1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" "error"="failed to reconcile listeners due to failed to create listener due to CertificateNotFound: Certificate 'arn:aws:acm:ap-south-1:131584844995:certificate/8f5dfe1b-c9f3-4290-af32-28def42a98d0' not found\n\tstatus code: 400, request id: 3e402f1e-eb64-4868-a296-ab11a38c085b"  "controller"="alb-ingress-controller" "request"={"Namespace":"default","Name":"ingress-usermgmt-restapp-service"}

Here is the yaml file:

# Annotations Reference:  https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-usermgmt-restapp-service
  labels:
    app: usermgmt-restapp
  annotations:
    # Ingress Core Settings
    kubernetes.io/ingress.class: "alb"
    alb.ingress.kubernetes.io/scheme: internet-facing
    # Health Check Settings
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
    #Important Note:  Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
    #alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
    alb.ingress.kubernetes.io/success-codes: '200'
    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
    ## SSL Settings
    alb.ingress.kubernetes.io/listen-port: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:131584844995:certificate/8f5dfe1b-c9f3-4290-af32-28def42a98d0
    #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)
spec:
  rules:
    #- host: ssldemo.kubeoncloud.com    # SSL Setting (Optional only if we are not using certificate-arn annotation)
    - http:
        paths:
          - path: /app1/*
            backend:
              serviceName: app1-nginx-nodeport-service
              servicePort: 80
          - path: /app2/*
            backend:
              serviceName: app2-nginx-nodeport-service
              servicePort: 80
          - path: /*
            backend:
              serviceName: usermgmt-restapp-nodeport-service
              servicePort: 8095
# Important Note-1: In path based routing order is very important, if we are going to use  "/*", try to use it at the end of all rules.
-- John Doe
amazon-web-services
kubernetes

Similar Questions

Kubernetes - AWS cloud provider with custom domain name
k8s external-ip SNAT?
How to make reliable, scalable redis on Kubernetes
Max pods per node
Which is best strategy of reboot of Linux node in kubernetes cluster

0 Answers