jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

GKE ingress only have one certificate when multiple are described in the ingress.yml #178

Closed carlosflorencio closed 7 years ago

carlosflorencio commented 7 years ago

Hi,

I am trying to configure multiple certs for sub domains using kube lego and google cloud platform.

I have two services, one for my staging pod and another for my production pod.

My ingress config:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: restaurants-s
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "gce"
spec:
  tls:
  - secretName: staging-restaurants-tls1
    hosts:
    - staging.otrack.info
  - secretName: prod-restaurants-tls1
    hosts:
    - otrack.info
  backend:
    serviceName: srestaurants-s
    servicePort: 80
  rules:
  # Staging
  - host: staging.otrack.info
    http:
      paths:
      - path: /*
        backend:
          serviceName: srestaurants-s
          servicePort: 80
      - path: /.well-known/acme-challenge
        backend:
          serviceName: kube-lego-gce
          servicePort: 8080

  # Production
  - host: otrack.info
    http:
      paths:
      - path: /*
        backend:
          serviceName: restaurants-s
          servicePort: 80
      - path: /.well-known/acme-challenge
        backend:
          serviceName: kube-lego-gce
          servicePort: 8080

The sub domain is working fine: https://staging.otrack.info

But the main domain has the wrong certificate: https://otrack.info/

My load balancer only shows one certificate, is this normal? image

The secrets have been created with success by kube lego: image

Any ideas?

Thanks

simonswine commented 7 years ago

The GCE Ingress controller that is used for your setup supports only a single certificate:

You have these options:

carlosflorencio commented 7 years ago

Yep, thanks the answer!

I switched to use the nginx controller ingress.

jzhu077 commented 7 years ago

@simonswine I ran into the same problem. If I use

tls:
  - secretName: restaurants-tls1
    hosts:
    - staging.otrack.info
    - otrack.info

How to update the ingress, so that it can start to get a new certificate? The current certificate is for the first domain. And is it possible to use a single certificate for two hosts?

dan-turner commented 7 years ago

Doesn't this imply that GCP's load balancer does support multiple certificates?

You can configure the target proxy of your HTTPS or SSL proxy load balancer with up to to ten SSL certificates

https://cloud.google.com/compute/docs/load-balancing/http/ssl-certificates

In the GCP UI for the load balancer created by kubernetes there is even an option to add extra certificates.

artworx commented 6 years ago

I am having the same issue as described above, I am using GCE Ingress and want to have multiple certificates.

According to the google console: "Each forwarding rule can have 1-9 additional certificates".

Salmondx commented 6 years ago

Please, make it more clear from the documentation. Add this workaround for GCE in the README because it's pretty hard to find the root of the problem.