All,
I followed this tutorial: https://github.com/ahmetb/gke-letsencrypt.
I have an ingress setup for kubernetes in Google Cloud, I have a static IP address and the secrets are created.
This is my ingress config:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: helloweb
annotations:
kubernetes.io/ingress.global-static-ip-name: helloweb-ip
certmanager.k8s.io/acme-http01-edit-in-place: "true"
labels:
app: hello
spec:
backend:
serviceName: helloweb-backend
servicePort: 8080
tls:
- secretName: dogs-com-tls
hosts:
- app-solidair-vlaanderen.com
I can access http://app-solidair-vlaanderen.com, but not the https url.
If I call describe ingress I get this output:
Name: helloweb
Namespace: default
Address: 35.190.68.173
Default backend: helloweb-backend:8080 (10.32.0.17:8080)
TLS:
dogs-com-tls terminates app-solidair-vlaanderen.com
Rules:
Host Path Backends
---- ---- --------
app-solidair-vlaanderen.com
/.well-known/acme-challenge/Q8kcFSZ0ZUJO58xZyVbK6s-cJIWu-EgwPcDd8NFyoXQ cm-acme-http-solver-mhqnf:8089 (<none>)
Annotations:
url-map: k8s-um-default-helloweb--17a833239f9491d9
backends: {"k8s-be-30819--17a833239f9491d9":"Unknown","k8s-be-32482--17a833239f9491d9":"HEALTHY"}
forwarding-rule: k8s-fw-default-helloweb--17a833239f9491d9
target-proxy: k8s-tp-default-helloweb--17a833239f9491d9
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ADD 45m loadbalancer-controller default/helloweb
Normal CREATE 44m loadbalancer-controller ip: 35.190.68.173
Warning Sync 7m (x22 over 28m) loadbalancer-controller Error during sync: error while evaluating the ingress spec: could not find service "default/cm-acme-http-solver-mhqnf"
Does someone know what I'm missing?
You have some mess up in your ingress definition, why the hosts is under the tls?
Here is an example that is working for me:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .Values.ingressName }}-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: {{ .Values.staticIpName }}-static-ip
kubernetes.io/ingress.allow-http: "false"
labels:
...
spec:
tls:
- secretName: sslcerts
rules:
- host: {{ .Values.restApiHost }}
http:
paths:
- backend:
serviceName: rest-api-internal-service
servicePort: 80
Related
I have configured a ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
spec:
acme:
email: <myemail>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- http01:
ingress:
class: nginx
and An Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
kubernetes.io/ingress.class: nginx
name: web-ingress
namespace: default
spec:
rules:
- host: hostname
http:
paths:
- backend:
service:
name: web-service
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- hostname
secretName: web-cert-tls
I'm unable to get the configuration to run properly. This spawns a new ingress as follows
Name: cm-acme-http-solver-9nbh6
Labels: acme.cert-manager.io/http-domain=1234
acme.cert-manager.io/http-token=1234
acme.cert-manager.io/http01-solver=true
Namespace: default
Address: <IPAddress>
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
hostname
/.well-known/acme-challenge/challengexyzxyzxyz-o cm-acme-http-solver-9dc8z:8089 (10.2.0.85:8089)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 10m (x2 over 10m) nginx-ingress-controller Scheduled for sync
Here's the describe for Ingress which is applied by me
Name: web-ingress
Labels: app.kubernetes.io/instance=web-app
Namespace: default
Address: <IPAddress>
Ingress Class: <none>
Default backend: <default>
TLS:
web-cert-tls terminates hostname
Rules:
Host Path Backends
---- ---- --------
hostname
/ web-service:3000 (10.2.0.68:3000)
Annotations: acme.cert-manager.io/http01-edit-in-place: true
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 31m cert-manager-ingress-shim Successfully created Certificate "web-cert-tls"
Normal Sync 6m27s (x6 over 31m) nginx-ingress-controller Scheduled for sync
and when I check the cert-manager logs I find this error
E0905 10:09:04.617600 1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected \"challengexyzxyz.morestuffherexyzxyz\" but got: <html xml:lang=\"fr-FR\" l... (truncated)" "dnsName"="hostname.ovh" "resource_kind"="Challenge" "resource_name"="web-cert-tls-xtp2r-768063107-2100049723" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"
When I access hostname/.well-known/acme-challenge/challengexyzxyzxyz-o from browser
I'm getting the expected value.
When I access it from a pod I'm getting an html that says domain purchased page.
I've also tried to just apply the certificate without the Ingress
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: web-cert
namespace: default
spec:
dnsNames:
- hostname.ovh
secretName: web-cert-tls
issuerRef:
name: letsencrypt-cluster-issuer
kind: ClusterIssuer
I've also tried adding acme.cert-manager.io/http01-edit-in-place: "true" to Ingress object annotation, It didnt solve the problem either. ( It didnt spawn a new ingress that's all )
so I'm stuck at this stage of challenge
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/12134567898/Fmasf
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "challengexyzxyzxyz-o.challengexyzxyzxyz-o" but got: <html xml:lang="fr-FR" l... (truncated)
State: pending
dnsPolicy: "None"
dnsConfig:
nameservers:
- 8.8.8.8
- 8.8.4.4
Setting this config for cert-manager worked out.
It was dnsPolicy: ClusterFirst And it somehow was pointing to dns provider's website saying congrats on purchase.
Turns out that, it also can be a propagation delay for the dns that's local to the k8s provider. In my case the delay was more than 24h. Once the nameserver was updated I could revert this change and still got it to work.
I run the ingress controller and put one annotation for round_robin algorithm to run. but seems there is no event run there. is it ok if no event in my ingress description? what event indicates there?
# kubectl describe ingress -n ingress
Name: nginx-ingress
Namespace: ingress
Address: 192.168.10.10,192.168.10.45
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
website.com
/ website1:80 (10.42.0.139:80,10.42.1.223:80,10.42.2.98:80 + 1 more...)
/website2 website2:80 (10.42.0.140:80,10.42.1.232:80,10.42.2.74:80 + 1 more...)
/website3 website3:80 (10.42.0.141:80,10.42.1.215:80,10.42.2.58:80 + 1 more...)
Annotations: nginx.ingress.kubernetes.io/load-balance: round_robin
Events: <none>
I deploy my ingress with this bro, and I have my ingress class. update 1.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
namespace: ingress
annotations:
nginx.ingress.kubernetes.io/load-balance: ewma
spec:
ingressClassName: nginx
rules:
- host: service.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
- path: /service2
pathType: Prefix
backend:
service:
name: service2
port:
number: 80
- path: /service3
pathType: Prefix
backend:
service:
name: service3
port:
number: 80
with another annotation i get the event in my ingress
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 25m (x4 over 113m) nginx-ingress-controller Scheduled for sync
Normal Sync 22m (x39 over 7d2h) nginx-ingress-controller Scheduled for sync
Normal Sync 22m (x41 over 7d2h) nginx-ingress-controller Scheduled for sync
Normal Sync 22m (x22 over 5d10h) nginx-ingress-controller Scheduled for sync
Normal Sync 8m42s (x2 over 9m21s) nginx-ingress-controller Scheduled for sync
# kubectl describe ingress -n ingress
Name: nginx-ingress
Namespace: ingress
Address: 192.168.10.10,192.168.10.45
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
website1.com
/ nginx-deployment:80 (10.42.0.222:80,10.42.1.32:80,10.42.2.155:80 + 1 more...)
/website2 nginx-video:80 (10.42.0.220:80,10.42.1.30:80,10.42.2.153:80 + 1 more...)
/website3 nginx-document:80 (10.42.0.221:80,10.42.1.31:80,10.42.2.154:80 + 1 more...)
Annotations: nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/session-cookie-expires: 172800
nginx.ingress.kubernetes.io/session-cookie-max-age: 172800
nginx.ingress.kubernetes.io/session-cookie-name: route
nginx.ingress.kubernetes.io/upstream-hash-by: ewma
Events: <none>
This means your cluster has no ingress controller installed. When there's a ingress controller (such as ingress-nginx) installed in your cluster, a series of events will triggered to process your ingress request. These events will show in your describe command.
If you do have ingress controller but it is not registered as the default ingress class for your cluster, you can add the annotation kubernetes.io/ingress.class: <name of your IngressClass, example "nginx"> to your ingress spec or:
apiVersion: networking.k8s.io/v1
kind: Ingress
...
spec:
ingressClassName: <name of your IngressClass, example "nginx">
...
in fact, the sync is not always displayed. when we do changes at the beginning the ingress controller does sync. However, after some time the sync will stop automatically.
I'm currently setting up a web app using google cloud platform but I ran into an issue while deploying with the GKE ingress controller.
I'm unable to access the app using my sub domain name. The page is showing this message:
502 Server Error
Error: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
Despite having configured an health check the ingress seems to still not respond properly.
In the meantime my SSL certificate is working properly for my subdomain name.
This is my ingress configuration:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: frontend-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: "myapp-static-addr"
networking.gke.io/v1beta1.FrontendConfig: "frontend-ingress-config"
spec:
rules:
- host: test.myapp.com
http:
paths:
- path: /
backend:
serviceName: frontend-service
servicePort: 3333
tls:
- secretName: stage-ssl"
and this is my service:
apiVersion: v1
kind: Service
metadata:
name: frontend-service
namespace: default
annotations:
cloud.google.com/backend-config: '{"default": "frontend-config"}'
spec:
type: NodePort
selector:
app: frontend-server
ports:
- port: 3333
protocol: TCP
targetPort: 3000
and finally my deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend-deployment
labels:
app: frontend-server
spec:
replicas: 1
selector:
matchLabels:
app: frontend-server
template:
metadata:
labels:
app: frontend-server
spec:
containers:
- name: client-ssr
image: eu.gcr.io/myapp-test/client-ssr
ports:
- name: client-port
containerPort: 3000
resources:
requests:
cpu: "0.35"
limits:
cpu: "0.55"
env:
- name: CONFIG_ENV
value: "STAGE"
imagePullPolicy: Always
volumeMounts:
- name: certificate
mountPath: "/etc/certificate"
readOnly: true
volumes:
- name: certificate
secret:
secretName: stage-ssl
And this in the ingress describe:
Name: frontend-ingress
Namespace: default
Address: 34.106.6.15
Default backend: default-http-backend:80 (10.26.31.88:8080)
TLS:
stage-ssl terminates
Rules:
Host Path Backends
---- ---- --------
test.myapp.com
/ frontend-service:3333 (10.22.46.111:3000)
Annotations:
kubernetes.io/ingress.global-static-ip-name: myapp-static-addr
ingress.kubernetes.io/backends: {"k8s-be-32171--41df3ab30d90ff92":"HEALTHY","k8s1-41df3ab3-default-frontend-service-3333-5186e808":"HEALTHY"}
ingress.kubernetes.io/forwarding-rule: k8s2-fr-opm63ww1-default-frontend-ingress-8gn6ll7p
ingress.kubernetes.io/https-forwarding-rule: k8s2-fs-opm63ww1-default-frontend-ingress-8gn6ll7p
ingress.kubernetes.io/redirect-url-map: k8s2-rm-opm63ww1-default-frontend-ingress-8gn6ll7p
ingress.kubernetes.io/ssl-cert: k8s2-cr-opm63ww1-f42czv69pq6f2emd-5bd4c7395be5bd4e
ingress.kubernetes.io/https-target-proxy: k8s2-ts-opm63ww1-default-frontend-ingress-8gn6ll7p
ingress.kubernetes.io/target-proxy: k8s2-tp-opm63ww1-default-frontend-ingress-8gn6ll7p
ingress.kubernetes.io/url-map: k8s2-um-opm63ww1-default-frontend-ingress-8gn6ll7p
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"networking.k8s.io/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.global-static-ip-name":"myapp-static-addr","networking.gke.io/v1beta1.FrontendConfig":"frontend-ingress-config"},"name":"frontend-ingress","namespace":"default"},"spec":{"rules":[{"host":"test.myapp.com","http":{"paths":[{"backend":{"serviceName":"frontend-service","servicePort":3333},"path":"/"}]}}],"tls":[{"secretName":"stage-ssl"}]}}
networking.gke.io/v1beta1.FrontendConfig: frontend-ingress-config
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 18m loadbalancer-controller UrlMap "k8s2-um-opm63ww1-default-frontend-ingress-8gn6ll7p" created
Normal Sync 18m loadbalancer-controller TargetProxy "k8s2-tp-opm63ww1-default-frontend-ingress-8gn6ll7p" created
Normal Sync 18m loadbalancer-controller ForwardingRule "k8s2-fr-opm63ww1-default-frontend-ingress-8gn6ll7p" created
Normal Sync 18m loadbalancer-controller TargetProxy "k8s2-ts-opm63ww1-default-frontend-ingress-8gn6ll7p" created
Normal IPChanged 18m loadbalancer-controller IP is now 34.106.6.15
Normal Sync 18m loadbalancer-controller ForwardingRule "k8s2-fs-opm63ww1-default-frontend-ingress-8gn6ll7p" created
Normal Sync 16m loadbalancer-controller UrlMap "k8s2-um-opm63ww1-default-frontend-ingress-8gn6ll7p" updated
Normal Sync 16m loadbalancer-controller TargetProxy "k8s2-tp-opm63ww1-default-frontend-ingress-8gn6ll7p" updated
Normal Sync 2m18s (x8 over 19m) loadbalancer-controller Scheduled for sync
How can I make my web app working ?
Thank You in advance.
I believe GCE Ingress must have defaultBackend apparently, see my question Is defaultBackend mandatory for Ingress (gce)?
I have deployed an app with Google Kubernetes Engine. All function works perfectly but I have a strange problem. If I check the status in Google cloud console the ingress is always in creating phase.
You can see it in image:
Have you some suggestion to resolve it?
Thanks
[EDIT]
kubectl describe ingress:
Name: ++++++-nginx-ingress
Namespace: ++++++
Address:
Default backend: default-http-backend:80 (10.4.0.4:8080)
Rules:
Host Path Backends
---- ---- --------
++++++-back.*******.net
++++++-nginx-np:80 (<none>)
++++++.*******.net
++++++-front-np:80 (<none>)
Annotations:
ingress.kubernetes.io/backends: {"k8s-be-30141--93abcf3e6a0e0671":"HEALTHY","k8s-be-32338--93abcf3e6a0e0671":"HEALTHY","k8s-be-32589--93abcf3e6a0e0671":"HEALTHY"}
ingress.kubernetes.io/url-map: k8s-um-++++++-++++++-nginx-ingress--93abcf3e6a0e0671
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.allow-http":"false","kubernetes.io/ingress.global-static-ip-name":"++++++-nginx-ingress-ip"},"labels":{"app":"++++++-nginx-ingress"},"name":"++++++-nginx-ingress","namespace":"++++++"},"spec":{"rules":[{"host":"++++++-back.*******.net","http":{"paths":[{"backend":{"serviceName":"++++++-nginx-np","servicePort":80}}]}},{"host":"++++++.*******.net","http":{"paths":[{"backend":{"serviceName":"++++++-front-np","servicePort":80}}]}}]}}
kubernetes.io/ingress.allow-http: false
kubernetes.io/ingress.global-static-ip-name: ++++++-nginx-ingress-ip
Events:
<none>
YAML file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ++++++-nginx-ingress
labels:
app: ++++++-nginx-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: ++++++-nginx-ingress-ip
kubernetes.io/ingress.allow-http: "false"
namespace: ++++++
spec:
rules:
- host: ++++++-back.++++++.net
http:
paths:
- backend:
serviceName: ++++++-nginx-np
servicePort: 80
- host: ++++++.++++++.net
http:
paths:
- backend:
serviceName: ++++++-front-np
servicePort: 80
Checking your output I can see that the loadbalncer is not created or not getting your static IP ++++++-nginx-ingress-ip normally after the Spec.Backend
status:
loadBalancer:
ingress:
- ip: xx.xx.xx.xx
On thing the Annotation kubernetes.io/ingress.allow-http: "false" is used when TLS for the ingress is configured.
Another thing you may check if the Add-on for L7 HTTP load balancing is Enabled by default when creating the cluster is enabled
I'm trying to create an ingress within minikube. I have already enabled the ingress add on and checked all the associated services and pods have been added and are running.
When I create the ingress I point it to a service.NodePort that is in the same namespace as the ingress. But when I describe the ingress the backend IP address is <none>
This is my deployment yaml
apiVersion: v1
kind: Namespace
metadata:
name: proxy
labels:
name: proxy
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: deployment
namespace: proxy
labels:
app: proxy
spec:
replicas: 1
template:
metadata:
labels:
app: proxy
spec:
containers:
- name: proxy
image: wildapplications/proxy:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
imagePullSecrets:
- name: regsecret
---
apiVersion: v1
kind: Service
metadata:
name: service
namespace: proxy
spec:
type: NodePort
ports:
- port: 8080
targetPort: 8080
selector:
app: proxy
externalName: proxy
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: proxy
annotations:
ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: echo.example.com
http:
paths:
- path: /test
backend:
serviceName: service
servicePort: 8080
when I describe the ingress I get
Name: ingress
Namespace: proxy
Address: 192.168.99.100
Default backend: default-http-backend:80 (172.17.0.14:8080)
Rules:
Host Path Backends
---- ---- --------
echo.example.com
/test service:8080 (<none>)
Annotations:
rewrite-target: /
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 16m ingress-controller Ingress proxy/ingress
Normal CREATE 15m ingress-controller Ingress proxy/ingress
Normal UPDATE 15m ingress-controller Ingress proxy/ingress
Is there anything glaringly obvious as to why the ingress isnt resolving the backend specified to the service created directly above it?
I found the solution to my question so i'll post just in case someone else comes across something similar.
I was trying to access the ingress through my minikube ip address (minikube ip to get the ip), this was providing a 404 because I was not using the host to navigate to it.
To solve the 404 I executed
echo "$(minikube ip) echo.example.com" | sudo tee -a /etc/hosts
and then from there navigating to the host url in my browser.