I was under the impression that the main point of cluster-issuer is that its namespaced and doesn't have to be recreated across different resources, in general there could be one main cluster-issuer that will manage all ingresses across the cluster.
From what I am seeing the cluster-issuer can only create one secret and if its in use by one ingress the second wont wont be created properly cause its already taken.
Is there anyway to create one cluster-issuer to manage all ingresses across the cluster?
Code included below
Cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-grafana
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: foo#gmail.com
privateKeySecretRef:
name: letsencrypt-grafana
solvers:
- selector:
dnsZones:
- "foo.com"
dns01:
route53:
region: eu-central-1
hostedZoneID: foo
accessKeyID: foo
secretAccessKeySecretRef:
name: aws-route53-creds
key: password.txt
Ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-ingress
namespace: loki
annotations:
cert-manager.io/cluster-issuer: letsencrypt-grafana
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "125m"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- grafana.foo.com
secretName: letsencrypt-grafana # < cert-manager will store the created certificate in this secret.
rules:
- host: grafana.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: loki-grafana
port:
number: 80
i would recommend creating the wildcard certificate using issuer/clusterissuer.
So you will be having the single secret with wildcard cert so you can use that across all ingress.
As you are already using DNS verification it will work well, as wildcard not supports the HTTP
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123#gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.example.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z0152EXAMPLE
accessKeyID: AKIA5EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.example.in"
dnsNames:
- "*.devops.example.in"
Read my full article : https://medium.com/#harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2
Ingress & secret example
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
certmanager.k8s.io/issuer: "letsencrypt-prod"
certmanager.k8s.io/acme-challenge-type: dns01
certmanager.k8s.io/acme-dns01-provider: route53
name: ingress-resource-tls
namespace: default
spec:
rules:
- host: "hello.devops.example.in"
http:
paths:
- backend:
serviceName: hello-app
servicePort: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- "hello.devops.example.in"
secretName: tls-secret
#Harsh Manvar while I do appreciate your anwser I found something that is a better suit for my needs.
Cert-manager documentation contains multiple options to sync secrets across namespaces
The one I chose was reflector. The steps to install are included in the documentation but just for the sake of service i'll post here aswell
Requirements: Helm
Installation:
helm repo add emberstack https://emberstack.github.io/helm-charts
helm repo update
helm upgrade --install reflector emberstack/reflector
Setup:
Add the following annotation to your secret reflector.v1.k8s.emberstack.com/reflection-allowed: "true", it should look like the following
apiVersion: v1
kind: Secret
metadata:
name: source-secret
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
Done! Your secret should be replicated within all namespaces. For multiple ingress configurations within the same namespace you could edit your ingress.yaml like this
Ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jenkins-ingress
namespace: jenkins
annotations:
cert-manager.io/cluster-issuer: letsencrypt-global
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "125m"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- jenkins.foo.com
- nginx.foo.com
secretName: letsencrypt-global # < cert-manager will store the created certificate in this secret.
rules:
- host: jenkins.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jenkins
port:
number: 80
- host: nginx.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
Related
I installed AWX-Operator on K8S along with kustomization.
After proper configuration, AWX starts correctly, I can access it via:
http://server_ip:30080
Now I'm in the process of setting up the YAML files so that I can access through my own domain.
The ingress.yaml file looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app: awx-ingress
name: awx-ingress
namespace: awx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
tls:
- hosts:
- someDomain.com
secretName: awx-secret-tls
rules:
- host: someDomain.com
http:
paths:
- backend:
service:
name: awx-service
port:
number: 80
path: /
pathType: Prefix
Result is:
Also my main awx.yaml looks like:
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
namespace: awx
spec:
auto_upgrade: true
admin_user: admin
admin_password_secret: awx-admin-password
ingress_type: ingress
ingress_tls_secret: awx-secret-tls
hostname: someDomain.com
postgres_configuration_secret: awx-postgres-configuration
postgres_storage_class: awx-postgres-volume
postgres_storage_requirements:
requests:
storage: 8Gi
projects_persistence: true
projects_existing_claim: awx-projects-claim
All I want to is just enter the AWX GUI via someDomain.com
So, I have a situation where I to create 700 redirects (301 redirects)for a website, looks like I cannot do it in a single Ingress Object and have to create one Ingress object per redirect like
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: redirect-001 ---------------------> should be different
namespace: XXXXX
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: "/redirect-path001" -------> should be different
spec:
tls:
- hosts:
- DNS Name
secretName: cert
rules:
- http:
paths:
- pathType: Prefix
path: "/path-001" -----------------------------> should be different
backend:
service:
name: my-svc
port:
number: 80
host: "DNS Name"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: redirect-002 -----------------> should be different
namespace: XXXX
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: "/redirect-path002" ----> should be different
spec:
tls:
- hosts:
- DNS Name
secretName: cert
rules:
- http:
paths:
- pathType: Prefix
path: "/path-002" ----------> should be different
backend:
service:
name: my-svc
port:
number: 80
host: "DNS Name"
So can I use Kustomize to generate these Ingress objects, I want to generate all ingress objects with kustomize, I want to have a redirects.yaml with above content in base directory and with kustomization.yaml file I want to create several ingress objects in overlays/dev/redirects.yaml, what would be contents of my Kustomization.yaml, I want to create multiple ingress objects, the only values that need to be different are:
name: "Ingress Name"
path: "/path"
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: "/redirect-path"
I don't undestand why i can't get certificates on K8S using cert-manager
I installed cert-manager : https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
I created ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: user#example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
I created ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
rules:
- host: mytest.example.fr
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: webapp
port:
number: 80
tls:
- hosts:
- mytest.example.fr
secretName: letsencrypt-staging
But when i try to get an certificate i get 'no resources found'
Any idea ?
Thank you for your help
If you don't want to create kind certificate you can use
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh#example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
.
. #Path and service configs
.
.
tls:
- hosts:
- sub.example.com
secretName: secret-name
ingress will call clusterisser and it will auto-create certificate for you.
Update ingress resources as per need if you are higher version 1.18 or above
Notes
Make sure you are using the URL https://acme-v02.api.letsencrypt.org/directory in clusterissue or else you will get fake certificate in browser.
For refrence you can read more here :
https://stackoverflow.com/a/55183209/5525824
Make sure also you ingress pointing to proper clusterissuer if
you have created new.
Also don't use same privateKeySecretRef:name: secret-name you
need to delete it or use the new name as fake certificate
now stored in that secret so.
Certificates are not created automatically by cert-manager.
You have to create a YAML yourself. And use the issuer name that you have already created
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
namespace: default
spec:
secretName: set-a-new-name-here
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: mytest.example.fr
dnsNames:
- mytest.example.fr
I followed this tutorial to serve a basic application using the NGINX Ingrss Controller, and cert-manager with letsencrypt.
I am able to visit the website, but the SSL certificate is broken, saying Issued By: (STAGING) Artificial Apricot R3.
This is my ClusterIssuer:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: my-email#example.com
privateKeySecretRef:
name: letsencrypt-issuer
solvers:
- http01:
ingress:
class: nginx
And the Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress-dev
namespace: my-app
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
spec:
tls:
- secretName: echo-tls
hosts:
- my-app.example.com
rules:
- host: my-app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-dev
port:
number: 80
LetsEncrypt staging is for testing, and does not issue certificates that are trusted by browsers. Use the production LE URL instead https://acme-v02.api.letsencrypt.org/directory
I have created a staging environment with cert-manager as the following:
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: stage#example.io
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: privateKeySecretRef
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
selector:
dnsNames:
- "*.dev.svc.databaker.io"
- "*.stage.svc.databaker.io"
---
and have created a certifcate for the wildcard domain *.dev.svc.databaker.io:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: dev-cert-staging
namespace: dev
spec:
secretName: secretName
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: "*.dev.svc.databaker.io"
dnsNames:
- "*.dev.svc.databaker.io"
at the end, an ingress object:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
name: dashboard
namespace: dev
spec:
rules:
- host: dashboard.dev.svc.databaker.io
http:
paths:
- backend:
serviceName: dashboard
servicePort: 80
path: /
tls:
- hosts:
- '*.dev.svc.databaker.io'
secretName: secretName
When I call the page https://dashboard.dev.svc.databaker.io/, it shows me:
The question is, if it is right, that it shows an invalid certificate?
It's right, staging is for testing certificate creation and has a very high limit on certificate issues.
Use production cert-issuer for even your dev environments but it's limited so make sure you're not spamming certs.