search

civo / kube100

NOTE: This repo is no longer being maintained or monitored. If you are facing any issues, you could either create an issue on the other respective repos (if any) or directly reach to us via civo.com
29 stars 2 forks source link

Express js example not working with letsencrypt #89

Open danielschlegel opened 3 years ago

danielschlegel commented 3 years ago

What i have done. Following the guide here: https://www.civo.com/learn/get-a-tls-certificate-for-your-application-with-jetstack-s-cert-manager

cd /tmp
git clone https://github.com/alexellis/expressjs-k8s
cd expressjs-k8s
kubectl apply -f ./yaml/dep.yaml
kubectl apply -f ./yaml/svc.yaml

echo "apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: expressjs
  annotations:
    kubernetes.io/tls-acme: \"true\"
    cert-manager.io/issuer: letsencrypt-pro
    kubernetes.io/ingress.class: \"traefik\"
spec:
  tls:
  - hosts:
    - expressjs.example.com
    secretName: expressjs-secret
  rules:
  - host: expressjs.example.com
    http:
      paths:
      - backend:
          service:
            name: expressjs
            port:
              number: 8080
        path: /
        pathType: Prefix" > /tmp/expressjs-k8s/ingress.yml

kubectl apply -f /ingress.yml

example.com is replaced on my local machine. Cert-manager is installed and the letsencrypt-pro issuer does exist on my cluster as a ClusterIssuer.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"cert-manager.io/v1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-pro"},"spec":{"acme":{"email":"devops@example.com","privateKeySecretRef":{"name":"letsencrypt-pro"},"server":"https://acme-v02.api.letsencrypt.org/directory","solvers":[{"http01":{"ingress":{"class":"traefik"}},"selector":{}}]}}}
  creationTimestamp: "2021-07-09T06:47:05Z"
  generation: 1
  name: letsencrypt-pro
  resourceVersion: "1012"
  uid: b93d1b59-f21b-4183-b6e8-f6386993ae0d
spec:
  acme:
    email: devops@example.com
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-pro
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: traefik
      selector: {}
status:
  acme:
    lastRegisteredEmail: devops@example.com
    uri: https://acme-v02.api.letsencrypt.org/acme/acct/129907932
  conditions:
  - lastTransitionTime: "2021-07-09T06:47:07Z"
    message: The ACME account was registered with the ACME server
    observedGeneration: 1
    reason: ACMEAccountRegistered
    status: "True"
    type: Ready

I would expect this to work now but i get errors in traefik pod that secret did not get found. As you see the secret traefik is trying to find is exactly the one configured in the ingress. But the secret itself has an additional number in the name. I think thats why it does not get found. Looks like cert-manager is generating the secret with a "wrong" name of traefik does not search for it the right way.

{"level":"error","msg":"Error configuring TLS for ingress default/expressjs: secret default/expressjs-secret does not exist","time":"2021-07-09T07:10:52Z"}

# secret
expressjs-secret-qgxcm   Opaque                                1      9m11s
andyjeffries commented 3 years ago

@kaihoffman can you track this internally and raise with the author of that learn guide (or anyone internally that knows about this stuff), thanks.

Thanks @danielschlegel for the issue, we appreciate it!