Closed craph closed 3 years ago
@craph could you share how you created your awx-certificate
secret?
kubectl describe secret awx-certificate
When you inspect eh ingress
object, do you see the tls.secretName
specified?
$ kubectl describe ingress awx-demo-ingress
$ kubectl get ingress -o yaml awx-demo-ingress
If you see it there, check the ingress controller configuration as well. Depending on the ingress configuration, sometimes if you have a different namespace, you will see this kind of behavior.
You need to create a secret like this and assign it to your ingress rule. Cluster needs to have an Ingress controller configured for the ingress to work as well.
Sounds like this is a config error? Please let us know if this is a real bug and we'll reopen.
@shanemcd Sorry to answer this very late. Can you reopen this issue please ?
ie : When I deploy AWX it's on a dedicated namespace "awx".
@tchellomello I create the awx-certificate
in Rancher -> Certificates -> add certificates
I added the domain : awx.10.81.110.118.nip.io and add my certificate.
kubectl describe secret awx-certificate
Name: awx-certificate
Namespace: default
Labels: <none>
Annotations: field.cattle.io/algorithm: RSA
field.cattle.io/certFingerprint: B7:60:30:B5:74:AF:ED:59:04:90:AF:B5:9B:AF:39:45:7F:AA:2D:8C
field.cattle.io/cn: myserver.mydomain.com
field.cattle.io/creatorId: u-azefdsfs
field.cattle.io/expiresAt: 2023-01-11T11:51:53Z
field.cattle.io/issuedAt: 2021-01-11T11:51:53Z
field.cattle.io/issuer: Company SubCA
field.cattle.io/keySize: 256
field.cattle.io/projectId: c-s6x5j:p-bc8xc
field.cattle.io/serialNumber: 557521034399410790640932465229759350743437541
field.cattle.io/subjectAlternativeNames: ["*.mydomain.com","myserver.mydomain.com"]
field.cattle.io/version: 3
lifecycle.cattle.io/create.secretsController_c-s6x5j: true
secret.user.cattle.io/secret: true
Type: kubernetes.io/tls
Data
====
tls.crt: 2861 bytes
tls.key: 1703 bytes
Here are the output for the ingress
kubectl describe ingress awx-demo-ingress -n awx
Name: awx-demo-ingress
Namespace: awx
Address: 10.81.110.108,10.81.110.118
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
awx-certificate terminates awx.10.81.110.118.nip.io
Rules:
Host Path Backends
---- ---- --------
awx.10.81.110.118.nip.io
/ awx-demo-service:80 (10.42.4.108:8052)
Annotations: field.cattle.io/publicEndpoints:
[{"addresses":["10.81.110.108"],"port":443,"protocol":"HTTPS","serviceName":"awx:awx-demo-service","ingressName":"awx:awx-demo-ingress","h...
Events: <none>
kubectl get ingress -o yaml awx-demo-ingress -n awx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
field.cattle.io/publicEndpoints: '[{"addresses":["10.81.110.108"],"port":443,"protocol":"HTTPS","serviceName":"awx:awx-demo-service","ingressName":"awx:awx-demo-ingress","hostname":"awx.10.81.110.118.nip.io","path":"/","allNo
des":true}]'
kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"labels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io
/name":"awx-demo","app.kubernetes.io/operator-version":"0.10.0","app.kubernetes.io/part-of":"awx-demo"},"name":"awx-demo-ingress","namespace":"awx"},"spec":{"rules":[{"host":"awx.10.81.110.118.nip.io","http":{"paths":[{"backend":
{"serviceName":"awx-demo-service","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["awx.10.81.110.118.nip.io"],"secretName":"awx-certificate"}]}}'
creationTimestamp: "2021-06-15T16:49:56Z"
generation: 1
labels:
app.kubernetes.io/component: awx
app.kubernetes.io/managed-by: awx-operator
app.kubernetes.io/name: awx-demo
app.kubernetes.io/operator-version: 0.10.0
app.kubernetes.io/part-of: awx-demo
managedFields:
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/managed-by: {}
f:app.kubernetes.io/name: {}
f:app.kubernetes.io/operator-version: {}
f:app.kubernetes.io/part-of: {}
f:ownerReferences:
.: {}
k:{"uid":"c8676e8a-5d15-47ec-a59d-1b51e3ac72d2"}:
.: {}
f:apiVersion: {}
f:kind: {}
f:name: {}
f:uid: {}
f:spec:
f:rules: {}
f:tls: {}
manager: Swagger-Codegen
operation: Update
time: "2021-06-15T16:49:56Z"
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress-controller
operation: Update
time: "2021-06-15T16:50:38Z"
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:field.cattle.io/publicEndpoints: {}
manager: rancher
operation: Update
time: "2021-06-15T16:50:38Z"
name: awx-demo-ingress
namespace: awx
ownerReferences:
- apiVersion: awx.ansible.com/v1beta1
kind: AWX
name: awx-demo
uid: c8676e8a-5d15-47ec-a59d-1b51e3ac72d2
resourceVersion: "32532468"
uid: bb2c53fb-19a4-455e-842a-b75f04f1b997
spec:
rules:
- host: awx.10.81.110.118.nip.io
http:
paths:
- backend:
service:
name: awx-demo-service
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- awx.10.81.110.118.nip.io
secretName: awx-certificate
status:
loadBalancer:
ingress:
- ip: 10.81.110.108
- ip: 10.81.110.118
When I inspect the certificate I see :
Now it says that the certificate is untrusted. I think I missed something ?
Can you help me ?
Thank you. Best regards,
I created from scratch a new ingress in rancher with the name : awx-demo3.10.81.110.118.nip.io with the dedicated certificate and I always see : Kubernetes Ingress Controller Fake Certificate
curl -Ivk https://awx-demo3.10.81.110.118.nip.io/
* About to connect() to awx-demo3.10.81.110.118.nip.io port 443 (#0)
* Trying 10.81.110.118...
* Connected to awx-demo3.10.81.110.118.nip.io (10.81.110.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
* start date: Sep 20 01:24:39 2021 GMT
* expire date: Sep 20 01:24:39 2022 GMT
* common name: Kubernetes Ingress Controller Fake Certificate
* issuer: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
I'm running into the same issue where there's no good documentation on adding a cert for awx deployments. I'm not sure if this is still an issue for you because it's been stale for a couple of years now, but it looks to me like you're using the rancher certificate manager and it looks like it's decided to use a self-signed (fake) cert.
ISSUE TYPE
SUMMARY
I'm unable to configure correctly the ingress for HTTPS in AWX.
What am I doing wrong ?
ENVIRONMENT
STEPS TO REPRODUCE
kubectl apply -f myfile
EXPECTED RESULTS
I want to be able to configure Ingress to use my tls secret configured in rancher and applied to my awx instance.
ACTUAL RESULTS
In my browser when I go to https://awx.10.81.110.118.nip.io and check the certificate I don't see mine BUT I see
ADDITIONAL INFORMATION
I don't know if my issue is linked to this one : https://github.com/ansible/awx-operator/issues/376
AWX-OPERATOR LOGS