github-actions[bot]
commented
1 year ago This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
Open carstenblt opened 1 year ago
github-actions[bot]
commented
1 year ago This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
timelapse2132
commented
1 year ago We would also need this.
I hope this is not considered issue hijacking but I would like to explain our use case for this feature:
Currently we have a cluster with many different domains and cert-manager. LB has proxy protocol enabled, cert-manager therefore only works if we set load-balancer.hetzner.cloud/hostname on the ingress service object but this prevents us from adding more than one domain. Switching the challenge method is also not an idea because the same issue would occur if we try to access any domain pointing to the lb from within the cluster (Like in angular SSR from frontend pods).
What is recommended in this case? Is there any way to get ip address information without using proxy protocol (like headers set on the LB for example).
github-actions[bot]
commented
1 year ago This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
rwojsznis
commented
1 year ago If you're coming from search here - after hours of trial and error I kinda give up on managed certificates functionality - please see also this comment
went with cert-manager route and everything just work (using hetzner LB + Cloudflare + cert-manager dns01 challange combo)
github-actions[bot]
commented
11 months ago This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
apricote
commented
10 months ago Quick question: Would you need one certificate per domain or are multiple domains in one certificate fine? (Through Subject Alternative Name)
carstenblt
commented
10 months ago that would be finde for me
apricote
commented
3 months ago @carstenblt I just tested multiple wildcard domains, and its working for me as expected. Is this what you were looking for? If not, could you explain to me again what you need?
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app.kubernetes.io/name: nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/name: nginx
spec:
containers:
- name: nginx
image: nginx:stable
ports:
- containerPort: 80
name: web
selector:
matchLabels:
app.kubernetes.io/name: nginx
---
apiVersion: v1
kind: Service
metadata:
name: example-lb-service
annotations:
load-balancer.hetzner.cloud/location: fsn1
load-balancer.hetzner.cloud/certificate-type: "managed"
load-balancer.hetzner.cloud/http-managed-certificate-domains: "*.jt1.hc-integrations.de,*.jt2.hc-integrations.de"
load-balancer.hetzner.cloud/http-redirect-http: "true"
load-balancer.hetzner.cloud/protocol: "https"
spec:
selector:
app.kubernetes.io/name: nginx
ports:
- protocol: TCP
port: 443
targetPort: web
type: LoadBalancer$ hcloud certificate list
ID NAME TYPE DOMAIN NAMES NOT VALID AFTER AGE
1319216 ccm-managed-certificate-9f822aa2-0e09-42a0-aae7-fe5047ee7318 managed *.jt1.hc-integrations.de, *.jt2.hc-integrations.de Sun Nov 10 11:49:03 CET 2024 4m
$ hcloud load-balancer list
ID NAME HEALTH IPV4 IPV6 TYPE LOCATION NETWORK ZONE AGE
1995971 aba2b4d2cf8ab4457b2e811ef16bbb3c unknown 167.235.216.242 2a01:4f8:c011:cf0::1 lb11 fsn1 eu-central 46s
$ openssl s_client -showcerts -servername foo.jt1.hc-integrations.de -connect 167.235.216.242:443 </dev/null
# Expected cert is being returned
Is it possible to assign multiple certificates to a load balancer?
I was expecting
to work but it doesn't.