Closed andreas-kupries closed 10 months ago
thehejik
commented
10 months ago It seems we have to update also the app chart, this is shown when deploying app:
Unable to build kubernetes objects from release manifest: resource mapping not found for name: "rsample-tls-sample-tls-3619f120a2c9701f06e3008d5146feb82bd289d2" namespace: "" from "": no matches for kind "Certificate" in version "cert-manager.io/v1" ensure CRDs are installed first
andreas-kupries
commented
10 months ago It seems we have to update also the app chart, this is shown when deploying app:
Unable to build kubernetes objects from release manifest: resource mapping not found for name: "rsample-tls-sample-tls-3619f120a2c9701f06e3008d5146feb82bd289d2" namespace: "" from "": no matches for kind "Certificate" in version "cert-manager.io/v1" ensure CRDs are installed first
See my notes at https://github.com/epinio/epinio/issues/2476#issuecomment-1776780415 and point 5 in the semi-spec at https://github.com/epinio/epinio/issues/2476#issuecomment-1776806116
thehejik
commented
10 months ago See my notes at epinio/epinio#2476 (comment) and point 5 in the semi-spec at epinio/epinio#2476 (comment)
I did a mistake originally and created an annotation instead of a label for epinio.io/routing key. Now the application is deployed and using the existing tls secret for the app ingress created in the same ns as the app.
This is the tls secret I've created in workspace ns according to the doc:
apiVersion: v1
data:
ca.crt: LS0tLS1CRUd...
tls.crt: LS0tLS1CRUd...
tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
labels:
epinio.io/routing: any-value-allowed
name: sample-app-tls
namespace: workspace
type: kubernetes.io/tlsNotes:
epinio, dex and workload apps are served thru public domains and can use wildcard domains (for eg *.1.2.3.4.nip.io) in CN/SAN fieldsregistry and minio/s3 are inter-cluster "private" domains registry.<ns>.svc.cluster.local and minio.<ns>.svc.cluster.local--values values.yaml when installing epinio without CM, keys s3, registry & epinio are needed by epinio to install with default internal registries and internal minio:
certManager:
enabled: false
s3:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
registry:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
epinio:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----Test report:
$ cat values.yaml
certManager:
enabled: false
s3:
ca: |
cert: |
key: |
registry:
...
epinio:
...$ helm upgrade --install epinio --namespace epinio chart/epinio --set global.domain=1.2.3.4.nip.io --create-namespace --values ./values.yaml
* Installation with default/mandatory values - CM has to be installed - OK
```bash
helm upgrade --install epinio --namespace epinio chart/epinio --set global.domain=1.2.3.4.nip.io --create-namespaceIn both cases I also successfully deployed a sample php app and the route was reachable. I just had to create the "Routing secret" when using custom certificates without CM.
thehejik
commented
9 months ago Verified in v1.11.0-rc2 on k3s without cert-manager installed including sample app deployment using "routing secret" with certificates.
Ref https://github.com/epinio/epinio/issues/2476 main PR: https://github.com/epinio/epinio/pull/2681
Enable disabling of CM
Certificateresources. Conversely injectSecretresources normally generated by CM. Plusvalues.yamlparameters to configure these secrets.