search

ansible / awx-operator

An Ansible AWX operator for Kubernetes built with Operator SDK and Ansible. 🤖
https://www.github.com/ansible/awx
Apache License 2.0
1.24k stars 626 forks source link

Ingress TLS not working (K8S rancher) #399

Closed craph closed 3 years ago

craph commented 3 years ago
ISSUE TYPE
SUMMARY

I'm unable to configure correctly the ingress for HTTPS in AWX.

What am I doing wrong ?

ENVIRONMENT
STEPS TO REPRODUCE
  1. Create a secret certificate that contains private key and certificate with name "awx-certificate" (I'm using certificate issued by my entreprise CA / custom CA)
  2. Create this yaml file : 
    ---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
ingress_type: ingress
ingress_tls_secret: awx-certificate
hostname: awx.10.81.110.118.nip.io
postgres_storage_class: longhorn
  3. Run kubectl apply -f myfile
EXPECTED RESULTS

I want to be able to configure Ingress to use my tls secret configured in rancher and applied to my awx instance.

ACTUAL RESULTS

In my browser when I go to https://awx.10.81.110.118.nip.io and check the certificate I don't see mine BUT I see image

ADDITIONAL INFORMATION

I don't know if my issue is linked to this one : https://github.com/ansible/awx-operator/issues/376

AWX-OPERATOR LOGS
tchellomello commented 3 years ago

@craph could you share how you created your awx-certificate secret?

kubectl describe secret awx-certificate

When you inspect eh ingress object, do you see the tls.secretName specified? 

$ kubectl describe ingress awx-demo-ingress
$ kubectl get ingress -o yaml awx-demo-ingress

If you see it there, check the ingress controller configuration as well. Depending on the ingress configuration, sometimes if you have a different namespace, you will see this kind of behavior.

felipe4334 commented 3 years ago

You need to create a secret like this and assign it to your ingress rule. Cluster needs to have an Ingress controller configured for the ingress to work as well. image

shanemcd commented 3 years ago

Sounds like this is a config error? Please let us know if this is a real bug and we'll reopen.

craph commented 3 years ago

@shanemcd Sorry to answer this very late. Can you reopen this issue please ?

ie : When I deploy AWX it's on a dedicated namespace "awx".

@tchellomello I create the awx-certificate in Rancher -> Certificates -> add certificates I added the domain : awx.10.81.110.118.nip.io and add my certificate.

kubectl describe secret awx-certificate
Name:         awx-certificate
Namespace:    default
Labels:       <none>
Annotations:  field.cattle.io/algorithm: RSA
              field.cattle.io/certFingerprint: B7:60:30:B5:74:AF:ED:59:04:90:AF:B5:9B:AF:39:45:7F:AA:2D:8C
              field.cattle.io/cn: myserver.mydomain.com
              field.cattle.io/creatorId: u-azefdsfs
              field.cattle.io/expiresAt: 2023-01-11T11:51:53Z
              field.cattle.io/issuedAt: 2021-01-11T11:51:53Z
              field.cattle.io/issuer: Company SubCA
              field.cattle.io/keySize: 256
              field.cattle.io/projectId: c-s6x5j:p-bc8xc
              field.cattle.io/serialNumber: 557521034399410790640932465229759350743437541
              field.cattle.io/subjectAlternativeNames: ["*.mydomain.com","myserver.mydomain.com"]
              field.cattle.io/version: 3
              lifecycle.cattle.io/create.secretsController_c-s6x5j: true
              secret.user.cattle.io/secret: true

Type:  kubernetes.io/tls

Data
====
tls.crt:  2861 bytes
tls.key:  1703 bytes

Here are the output for the ingress

kubectl describe ingress awx-demo-ingress -n awx
Name:             awx-demo-ingress
Namespace:        awx
Address:          10.81.110.108,10.81.110.118
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  awx-certificate terminates awx.10.81.110.118.nip.io
Rules:
  Host                      Path  Backends
  ----                      ----  --------
  awx.10.81.110.118.nip.io
                            /   awx-demo-service:80 (10.42.4.108:8052)
Annotations:                field.cattle.io/publicEndpoints:
                              [{"addresses":["10.81.110.108"],"port":443,"protocol":"HTTPS","serviceName":"awx:awx-demo-service","ingressName":"awx:awx-demo-ingress","h...
Events:                     <none>
kubectl get ingress -o yaml awx-demo-ingress -n awx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    field.cattle.io/publicEndpoints: '[{"addresses":["10.81.110.108"],"port":443,"protocol":"HTTPS","serviceName":"awx:awx-demo-service","ingressName":"awx:awx-demo-ingress","hostname":"awx.10.81.110.118.nip.io","path":"/","allNo
des":true}]'
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"labels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io
/name":"awx-demo","app.kubernetes.io/operator-version":"0.10.0","app.kubernetes.io/part-of":"awx-demo"},"name":"awx-demo-ingress","namespace":"awx"},"spec":{"rules":[{"host":"awx.10.81.110.118.nip.io","http":{"paths":[{"backend":
{"serviceName":"awx-demo-service","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["awx.10.81.110.118.nip.io"],"secretName":"awx-certificate"}]}}'
  creationTimestamp: "2021-06-15T16:49:56Z"
  generation: 1
  labels:
    app.kubernetes.io/component: awx
    app.kubernetes.io/managed-by: awx-operator
    app.kubernetes.io/name: awx-demo
    app.kubernetes.io/operator-version: 0.10.0
    app.kubernetes.io/part-of: awx-demo
  managedFields:
  - apiVersion: extensions/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:labels:
          .: {}
          f:app.kubernetes.io/component: {}
          f:app.kubernetes.io/managed-by: {}
          f:app.kubernetes.io/name: {}
          f:app.kubernetes.io/operator-version: {}
          f:app.kubernetes.io/part-of: {}
        f:ownerReferences:
          .: {}
          k:{"uid":"c8676e8a-5d15-47ec-a59d-1b51e3ac72d2"}:
            .: {}
            f:apiVersion: {}
            f:kind: {}
            f:name: {}
            f:uid: {}
      f:spec:
        f:rules: {}
        f:tls: {}
    manager: Swagger-Codegen
    operation: Update
    time: "2021-06-15T16:49:56Z"
  - apiVersion: networking.k8s.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:loadBalancer:
          f:ingress: {}
    manager: nginx-ingress-controller
    operation: Update
    time: "2021-06-15T16:50:38Z"
  - apiVersion: extensions/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:field.cattle.io/publicEndpoints: {}
    manager: rancher
    operation: Update
    time: "2021-06-15T16:50:38Z"
  name: awx-demo-ingress
  namespace: awx
  ownerReferences:
  - apiVersion: awx.ansible.com/v1beta1
    kind: AWX
    name: awx-demo
    uid: c8676e8a-5d15-47ec-a59d-1b51e3ac72d2
  resourceVersion: "32532468"
  uid: bb2c53fb-19a4-455e-842a-b75f04f1b997
spec:
  rules:
  - host: awx.10.81.110.118.nip.io
    http:
      paths:
      - backend:
          service:
            name: awx-demo-service
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - awx.10.81.110.118.nip.io
    secretName: awx-certificate
status:
  loadBalancer:
    ingress:
    - ip: 10.81.110.108
    - ip: 10.81.110.118

When I inspect the certificate I see : image

Now it says that the certificate is untrusted. I think I missed something ?

Can you help me ?

Thank you. Best regards,

craph commented 3 years ago

I created from scratch a new ingress in rancher with the name : awx-demo3.10.81.110.118.nip.io with the dedicated certificate and I always see : Kubernetes Ingress Controller Fake Certificate

curl -Ivk https://awx-demo3.10.81.110.118.nip.io/
* About to connect() to awx-demo3.10.81.110.118.nip.io port 443 (#0)
*   Trying 10.81.110.118...
* Connected to awx-demo3.10.81.110.118.nip.io (10.81.110.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
*       start date: Sep 20 01:24:39 2021 GMT
*       expire date: Sep 20 01:24:39 2022 GMT
*       common name: Kubernetes Ingress Controller Fake Certificate
*       issuer: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
Keith-Nowosielski-SJSU commented 1 year ago

I'm running into the same issue where there's no good documentation on adding a cert for awx deployments. I'm not sure if this is still an issue for you because it's been stale for a couple of years now, but it looks to me like you're using the rancher certificate manager and it looks like it's decided to use a self-signed (fake) cert.