Closed andreas-kupries closed 10 months ago
It seems we have to update also the app chart, this is shown when deploying app:
Unable to build kubernetes objects from release manifest: resource mapping not found for name: "rsample-tls-sample-tls-3619f120a2c9701f06e3008d5146feb82bd289d2" namespace: "" from "": no matches for kind "Certificate" in version "cert-manager.io/v1" ensure CRDs are installed first
It seems we have to update also the app chart, this is shown when deploying app:
Unable to build kubernetes objects from release manifest: resource mapping not found for name: "rsample-tls-sample-tls-3619f120a2c9701f06e3008d5146feb82bd289d2" namespace: "" from "": no matches for kind "Certificate" in version "cert-manager.io/v1" ensure CRDs are installed first
See my notes at https://github.com/epinio/epinio/issues/2476#issuecomment-1776780415 and point 5 in the semi-spec at https://github.com/epinio/epinio/issues/2476#issuecomment-1776806116
See my notes at epinio/epinio#2476 (comment) and point 5 in the semi-spec at epinio/epinio#2476 (comment)
I did a mistake originally and created an annotation instead of a label for epinio.io/routing
key. Now the application is deployed and using the existing tls secret for the app ingress created in the same ns as the app.
This is the tls secret I've created in workspace
ns according to the doc:
apiVersion: v1
data:
ca.crt: LS0tLS1CRUd...
tls.crt: LS0tLS1CRUd...
tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
labels:
epinio.io/routing: any-value-allowed
name: sample-app-tls
namespace: workspace
type: kubernetes.io/tls
Notes:
epinio
, dex
and workload apps
are served thru public domains and can use wildcard domains (for eg *.1.2.3.4.nip.io
) in CN/SAN fieldsregistry
and minio/s3
are inter-cluster "private" domains registry.<ns>.svc.cluster.local
and minio.<ns>.svc.cluster.local
--values values.yaml
when installing epinio without CM, keys s3
, registry
& epinio
are needed by epinio to install with default internal registries
and internal minio
:
certManager:
enabled: false
s3:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
registry:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
epinio:
ca: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Test report:
$ cat values.yaml
certManager:
enabled: false
s3:
ca: |
cert: |
key: |
registry:
...
epinio:
...
$ helm upgrade --install epinio --namespace epinio chart/epinio --set global.domain=1.2.3.4.nip.io --create-namespace --values ./values.yaml
* Installation with default/mandatory values - CM has to be installed - OK
```bash
helm upgrade --install epinio --namespace epinio chart/epinio --set global.domain=1.2.3.4.nip.io --create-namespace
In both cases I also successfully deployed a sample php app and the route was reachable. I just had to create the "Routing secret" when using custom certificates without CM.
Verified in v1.11.0-rc2
on k3s without cert-manager installed including sample app deployment using "routing secret" with certificates.
Ref https://github.com/epinio/epinio/issues/2476 main PR: https://github.com/epinio/epinio/pull/2681
Enable disabling of CM
Certificate
resources. Conversely injectSecret
resources normally generated by CM. Plusvalues.yaml
parameters to configure these secrets.