Lots of effort... lack of success.
I'm trying to configure an external generated SSL Certificate. My objective is to use helm in order to manage the certificate. I'm using Bitnami's Keycloak Helm chart for deployment purposes on AKS.
Following is an excerpt of the helm chart definition - only the ingress declaration part:
## Keycloak ingress parameters
## ref: https://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## #param ingress.enabled Enable ingress record generation for Keycloak
##
enabled: true
## #param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: "nginx"
## #param ingress.pathType Ingress path type
##
pathType: ImplementationSpecific
## #param ingress.apiVersion Force Ingress API version (automatically detected if not set)
##
apiVersion: ""
## #param ingress.hostname Default host for the ingress record
##
hostname: "auth.sampledomain.com"
## #param ingress.path Default path for the ingress record
##
path: /
## #param ingress.servicePort Backend service port to use
## Default is http. Alternative is https.
##
servicePort: http
## #param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
## e.g:
## annotations:
## kubernetes.io/ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
##
annotations:
{
"nginx.ingress.kubernetes.io/client-header-buffer-size": "64k",
"nginx.ingress.kubernetes.io/force-ssl-redirect": "true",
"nginx.ingress.kubernetes.io/http2-max-field-size": "16k",
"nginx.ingress.kubernetes.io/http2-max-header-size": "128k",
"nginx.ingress.kubernetes.io/large-client-header-buffers": "8 64k",
"nginx.ingress.kubernetes.io/proxy-body-size": "4m",
"nginx.ingress.kubernetes.io/proxy-buffer-size": "128k",
"nginx.ingress.kubernetes.io/proxy-buffers": "4 256k",
"nginx.ingress.kubernetes.io/proxy-busy-buffers-size": "256k",
"nginx.ingress.kubernetes.io/secure-backends": "true",
"nginx.ingress.kubernetes.io/ssl-redirect": "true"
}
## #param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
## You can:
## - Use the `ingress.secrets` parameter to create this TLS secret
## - Relay on cert-manager to create it by setting the corresponding annotations
## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
##
tls: true
## #param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
##
selfSigned: false
## #param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
## e.g:
## extraHosts:
## - name: keycloak.local
## path: /
##
extraHosts: []
## #param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
##
extraPaths: []
## #param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## extraTls:
## - hosts:
## - keycloak.local
## secretName: keycloak.local-tls
##
extraTls: []
## #param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
## e.g:
## - name: keycloak.local-tls
## key:
## certificate:
##
secrets:
[
{
"certificate": "-----BEGIN CERTIFICATE-----
djlkasjdlkasjdlksajdlksajdljaslkdjaslkdjaskldjlkasjdlkasjdlkasjd
djlkasjdlkasjdlksajdlksajdljaslkdjaslkdjaskldjlkasjdlkasjdlkasjd
.......
.......
hdjkashdjksahdkjsahdjkhsajkdhsajkdhsakjdhjksahdjhd= -----END CERTIFICATE----- ",
"key": "-----BEGIN RSA PRIVATE KEY-----
djlkasjdlkasjdlksajdlksajdljaslkdjaslkdjaskldjlkasjdlkasjdlkasjd
djlkasjdlkasjdlksajdlksajdljaslkdjaslkdjaskldjlkasjdlkasjdlkasjd
.......
.......
hdjkashdjksahdkjsahdjkhsajkdhsajkdhsakjdhjksahdjhd= -----END RSA
PRIVATE KEY-----",
"name": "aks-ingress-tls"
}
]
This is the generated ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: keycloak
meta.helm.sh/release-namespace: keycloak
nginx.ingress.kubernetes.io/client-header-buffer-size: 64k
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/http2-max-field-size: 16k
nginx.ingress.kubernetes.io/http2-max-header-size: 128k
nginx.ingress.kubernetes.io/large-client-header-buffers: 8 64k
nginx.ingress.kubernetes.io/proxy-body-size: 4m
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffers: 4 256k
nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 256k
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
creationTimestamp: "2022-04-21T16:35:25Z"
generation: 7
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
helm.sh/chart: keycloak-7.1.16
name: keycloak
namespace: keycloak
resourceVersion: "6267339"
uid: 0238426d-3562-44ae-a6e6-34be825fbb30
spec:
ingressClassName: nginx
rules:
- host: auth.sampledomain.com
http:
paths:
- backend:
service:
name: keycloak
port:
name: http
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- auth.sampledomain.com
secretName: aks-ingress-tls
status:
loadBalancer:
ingress:
- ip: 1.1.1.1
I had to add the TLS configuration on the ingress by myself.
For some reason the webapp is not secured..
What am I doing wrong here?
You need to configure the following in the bitnami helm chart :
## HTTPS settings
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
##
tls:
## #param tls.enabled Enable TLS encryption. Required for HTTPs traffic.
##
enabled: true
## #param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
##
autoGenerated: true
Related
So my goal is to be able to access my CockroachDB from domain like db.test.com with cert.
I want to use cert-manager letsencrypt to issue keys. And it should work with CF (in non proxy mode as I think they do not support tcp for this)
At first to test everything I used normal kubectl port-forward which worked, but now I needed to expose it always.
I have tried using Ingress (using ingress-nginx)
I know that Ingress is mostly HTTP/HTTPS but I saw it can be used for the thing I need and IN CF I cannot point to port that I needed.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tcp-example-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/tcp-services: "cluster-cockroachdb-public"
nginx.ingress.kubernetes.io/tcp-service-port: "26257"
nginx.ingress.kubernetes.io/backend-protocol: "TCP"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- db.test.com
secretName: db-access-ssl-cert-production
rules:
- host: db.test.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cluster-cockroachdb-public
port:
number: 26257
Attempting to connect does not work, and in logs I can see 400 status code with strange characters like \x20...
No matter what I tried I could not get it to work..
I did manage to get web-ui portion working that was easy enough.
Other resource that might be helpful is the values.yaml that I used
conf:
cache: "2Gi"
max-sql-memory: "2Gi"
# My WEB-UI that works
ingress:
enabled: true
labels: {}
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
paths: [/]
hosts:
- db-ui.test.com
tls:
- hosts: [db-ui.test.com]
secretName: ssl-cert-production
Everything else is default
I solved my issue by following the tutorial below:
https://mailazy.com/blog/exposing-tcp-udp-services-ingress/
also mentioned here
https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/
Ingress does not support TCP or UDP services so we use ingress-nginx config for it we patch ingress-nginx values of chart and add custom one (Copy default values.yaml from github helm chart for ingress-nginx)
I just edited this portion:
# -- TCP service key-value pairs
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
##
tcp:
"26257": "default/cluster-cockroachdb-public:26257"
After that we run helm upgrade command to replace values of ingress-nginx and after that it should work for anyone else as well.
If you are using cloudflare make sure to disable proxy!
I am trying to create another Issuer can for another subdomain. I am following this example: Digital Ocean Kubernetes tutorial and in this example the author gives an example for the http://echo.starter-kit.online/ subdomain which I was able to get working using my own subdomain.
I am trying to get this working for the quote.starter-kit.online example by creating a new Issuer like following:
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: quote-letsencrypt-nginx
namespace: backend
spec:
# ACME issuer configuration
# `email` - the email address to be associated with the ACME account (make sure it's a valid one)
# `server` - the URL used to access the ACME server’s directory endpoint
# `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key
acme:
email: my#mydomain.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: quote-letsencrypt-nginx-private-key
solvers:
# Use the HTTP-01 challenge provider
- http01:
ingress:
class: nginx
And the following Ingress rule for the quote subdomain:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-quote
namespace: backend
annotations:
cert-manager.io/issuer: letsencrypt-nginx
spec:
tls:
- hosts:
- quote.mydomain.com
secretName: quote-letsencrypt
rules:
- host: quote.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quote
port:
number: 8080
ingressClassName: nginx
when I do the following:
>kubectl get certificates -n backend
NAME READY SECRET AGE
letsencrypt-nginx True letsencrypt-nginx 5d2h
quote-letsencrypt-nginx False quote-letsencrypt-nginx 2s
I can see the certs. However, when I do the following I see the https is not working:
curl -Li quote.mydomain.com
HTTP/1.1 308 Permanent Redirect
Date: Sun, 02 Jan 2022 23:49:40 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://quote.mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Try:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-quote
namespace: backend
annotations:
cert-manager.io/issuer: quote-letsencrypt-nginx # <-- changed
spec:
tls:
- hosts:
- quote.mydomain.com
secretName: quote-letsencrypt-tls
rules:
...
I'm trying to get kubernetes-dashboard up and running under KIND but I'm not getting an ingress created even-though I think I changed the values.yaml to do that. Here is what I have for that section any idea what I'm missing/doing wrong:
ingress:
## If true, Kubernetes Dashboard Ingress will be created.
##
enabled: true
## Kubernetes Dashboard Ingress labels
labels:
key: value
## Kubernetes Dashboard Ingress annotations
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: 'true'
## If you plan to use TLS backend with enableInsecureLogin set to false
## (default), you need to uncomment the below.
## If you use ingress-nginx < 0.21.0
# nginx.ingress.kubernetes.io/secure-backends: "true"
## if you use ingress-nginx >= 0.21.0
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
## Kubernetes Dashboard Ingress Class
# className: "example-lb"
## Kubernetes Dashboard Ingress paths
## Both `/` and `/*` are required to work on gce ingress.
paths:
- /
- /*
## Custom Kubernetes Dashboard Ingress paths. Will override default paths.
##
customPaths:
- pathType: ImplementationSpecific
backend:
service:
name: ssl-redirect
port:
name: use-annotation
- pathType: ImplementationSpecific
backend:
service:
name: >-
{{ include "kubernetes-dashboard.fullname" . }}
port:
# Don't use string here, use only integer value!
number: 443
# Kubernetes Dashboard Ingress hostnames
# Must be provided if Ingress is enabled
#
hosts:
- local.com
# Kubernetes Dashboard Ingress TLS configuration
# Secrets must be manually created in the namespace
#
tls:
- secretName: kubernetes-dashboard-tls
hosts:
- local.com
This will run and if I run:
helm upgrade -f dashboard/values.yaml dashboard dashboard
Release "dashboard" has been upgraded. Happy Helming!
NAME: dashboard
LAST DEPLOYED: Fri Dec 10 16:41:46 2021
NAMESPACE: kubernetes-dashboard
STATUS: deployed
REVISION: 7
TEST SUITE: None
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
dashboard-kubernetes-dashboard-5d89cf78dd-g6tmb 1/1 Running 0 94m
But:
$ kubectl get ingress
No resources found in kubernetes-dashboard namespace.
Now stackoverflow won't post my question, because I posted mostly code. Maybe this will trick it.
I ended up creating my own ingress:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
tls:
- hosts:
- {{ .Values.apps.nameSpace }}.{{ .Values.apps.domain }}
secretName: my-tls-secret
rules:
- host: {{ .Values.apps.nameSpace }}.{{ .Values.apps.domain }}
http:
paths:
- pathType: Prefix
path: /dashboard(/|$)(.*)
backend:
service:
name: dashboard-kubernetes-dashboard
port:
number: 443
I try to use haproxy as load balance and haproxy-ingress as ingress controller in k8s.
my load balance config:
frontend MyFrontend_80
bind *:80
bind *:443
mode tcp
default_backend TransparentBack_https
backend TransparentBack_https
mode tcp
balance roundrobin
option ssl-hello-chk
server MyWebServer1 10.5.5.53
server MyWebServer2 10.5.5.54
server MyWebServer3 10.5.5.55
Ingress file:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: li
namespace: li
annotations:
# add an annotation indicating the issuer to use.
cert-manager.io/cluster-issuer: "letsencrypt-staging"
#haproxy.org/forwarded-for: true
kubernetes.io/ingress.class: haproxy
ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: a.b.c
http:
paths:
- path: /storage
backend:
serviceName: li-frontend
servicePort: 80
tls:
- hosts:
- a.b.c
secretName: longhorn-ui-tls
li-frontend is a dashboard ui service.
All is ok when I set the path field to blank in my ingress. and page is not normal when the path field seted to /storage or any non blank value.
I find some link not get correct position, e.g.
requst correct value
/main.js /storage/main.js
I found this in nginx-ingress:
#nginx.ingress.kubernetes.io/configuration-snippet: |
#rewrite ^/main(.*)$ /storage/main$1 redirect;
Does haproxy-ingress has same function?
I try these, but no effect:
ingress.kubernetes.io/app-root: /storage
ingress.kubernetes.io/rewrite-target: /storage
In addition, I use rewrite in nginx-ingress, but it don't work on websocket.
Sorry for my pool english.
for HAProxy:
you have to use haproxy annotation:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: web-ingress
namespace: default
annotations:
# replace all paths with /
haproxy.org/path-rewrite: "/"
# remove the prefix /foo... "/bar?q=1" into "/foo/bar?q=1"
haproxy.org/path-rewrite: (.*) /foo\1
# add the suffix /foo ... "/bar?q=1" into "/bar/foo?q=1"
haproxy.org/path-rewrite: ([^?]*)(\?(.*))? \1/foo\2
# strip /foo ... "/foo/bar?q=1" into "/bar?q=1"
haproxy.org/path-rewrite: /foo/(.*) /\1
spec:
# ingress specification...
Ref: => https://www.haproxy.com/documentation/kubernetes/1.4.5/configuration/ingress/
I'm trying to use kubernetes ingress annotation rules in order to enable X509 authentication.
My ingress yaml file is defined below:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: bdf-opengie-test
name: keycloak-opengie-test-ssl
labels:
app: keycloak-opengie
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
rules:
- host: keycloak-opengie-test-ssl.bdf-clu4.paas.eclair.local
http:
paths:
- path: /
backend:
serviceName: keycloak-opengie
servicePort: http
tls:
- hosts:
- keycloak-opengie-test-ssl.bdf-clu4.paas.eclair.local
When I invoke my application url, I'm expecting to see a popup requesting for a certificate, but nothing happens.
It seems like the annotations has no effect in the ingress definition.
Can someone tell me what's going wrong in my ingress definition.
I'm using Nginx Ingress: 0.15.0 and Kubernetes 1.10.5
First of all you are missing the secret with SSL files issued for your domain. (if we are talking about a native k8s secret management) You secret should be created by:
kubectl --namespace bdf-opengie-test create secret tls <secret_name> --key <key_path> --cert <cert_path>
Then your Ingress .yml file should contain this secret:
...
tls:
- hosts:
- keycloak-opengie-test-ssl.<domain>
secretName: <secret_name>
Only after this you can think about any annotations for auth or something else which is not working
Note: the secret is a namespaced object.
ingress:
hostname: id.login.example.com
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: "more_clear_input_headers \"x-forwarded-client-cert\";\n more_set_input_headers \"x-forwarded-client-cert: $ssl_client_cert\";\n"
nginx.ingress.kubernetes.io/server-snippet: |
ssl_verify_client on;
ssl_client_certificate /etc/nginx/truststore-development.crt;
ssl_verify_depth 2;
ssl_session_cache off;