0

I am working on setting up an ingress-controller for my microk8s setup.

Minimal whoami-service is up and running:

microk8s kubectl describe service whoami
Name:              whoami
Namespace:         default
Labels:            <none>
Annotations:       <none>
Selector:          app=whoami
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.152.183.112
IPs:               10.152.183.112
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.1.76.35:80
Session Affinity:  None
Events:            <none>

Response via clusterIP working:

curl 10.152.183.112:80
Hostname: whoami-84f56668f5-g2j8j
IP: 127.0.0.1
IP: ::1
IP: 10.1.76.35
IP: fe80::90cb:25ff:fe3f:2fe7
RemoteAddr: 192.168.0.100:46568
GET / HTTP/1.1
Host: 10.152.183.112
User-Agent: curl/7.68.0
Accept: */*

I have now configured a minimal ingress.yaml as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami-ingress
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    cert-manager.io/cluster-issuer: "cert-manager"
spec:
  tls:
  - hosts:
    - www.example-domain.com
    secretName: demo-key
  rules:
  - host: www.example-domain.com
    http:
      paths:
      - path: /whoami
        pathType: Prefix
        backend:
          service:
            name: whoami
            port:
              number: 80

ingress seems to be up and running.

Name:             whoami-ingress
Namespace:        default
Address:          127.0.0.1
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  demo-key terminates www.example-domain.com
Rules:
  Host              Path  Backends
  ----              ----  --------
  www.example-domain.com
                    /whoami   whoami:80 (10.1.76.35:80)
Annotations:        cert-manager.io/cluster-issuer: cert-manager
                    nginx.ingress.kubernetes.io/rewrite-target: /
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    22m (x2 over 22m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    15m                nginx-ingress-controller  Scheduled for sync

Pinging the domain works (so DNS-resolving seems to work). But when checking the certificate, there aren't any.

microk8s kubectl get certificates
No resources found in default namespace.

Where did I go wrong? Shouldn't cert-manager.io take care of the certificate?

UPDATE: It was pointed that I seem to lack a ClusterIssuer. I have now set one up according to the cert-manager-docs using ACME:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cert-manager
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: mail@domain.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: demo-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

But again, no luck. I can reach my cluster from outside, but only without https. Still, get certificate shows no resources found message. Certificate is classified as non trusted, issued to Kubernetes Ingress Controller Fake Certificate.

petwri
  • 553
  • 1
  • 4
  • 11
  • Some more information were needed. Probably you have more problems. Is the microk8s available from public? Is the DNS entry solved to local or public IP? Further, your ingress is missing an annotation to force tls. Please check, if your clusterissuer exists and has the name cert-manager. – Manuel Dec 11 '21 at 16:25
  • Which versions of microk8s are you using? Which version of cert-manager? – Manuel Dec 11 '21 at 16:33
  • Thanks for the reply. Since you asked: DNS resolving is public and works, whoami in microk8s can be accessed from outside, but without https. I think my biggest problem is that I have not set up a ClusterIssuer - I didn't realize this was explicitly required. – petwri Dec 12 '21 at 07:12
  • Did you try to delete and recreate the ingress? – Manuel Dec 12 '21 at 11:36
  • Just did that. Recreated service, clusterissuer and ingress, no change. – petwri Dec 12 '21 at 13:03
  • If you're sure your dns is available for signing a certificate, then consider going through the whole chain of certificate issuing - please see [my answer - How it works (concept)](https://stackoverflow.com/a/69658229/15537201) and [certificate lifecycle](https://cert-manager.io/docs/concepts/certificate/#certificate-lifecycle) to get some idea what and how. Hope this helps. If you find an issue, please update your question accordingly. – moonkotte Dec 13 '21 at 09:01
  • @petwri did it help? – Manuel Dec 13 '21 at 16:20
  • @petwri Also forgot to mention to check if secret `demo-key` is presented. If so try to delete ingress, secret and re-apply the ingress rule. – moonkotte Dec 15 '21 at 09:03

0 Answers0