jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

issue regarding ingress controller #240

Closed naveeng68 closed 7 years ago

naveeng68 commented 7 years ago

Hi, After creating our service like echoserver(mentioned as per kube-lego example ) our service, deployment and secret creating successfully, but its not working in browser, its shows below log(nginx-controller log)

52.89.254.61 - [52.89.254.61] - - [11/Aug/2017:08:12:15 +0000] "GET /.well-known/acme-challenge/_selftest HTTP/1.1" 200 16 "-" "Go-http-client/1.1" 151 0.001 [kube-lego-kube-lego-nginx-8080] 100.96.5.5:8080 16 0.001 200 66.133.109.36 - [66.133.109.36] - - [11/Aug/2017:08:12:16 +0000] "GET /.well-known/acme-challenge/aggxF8_TP1wq1WrF2O8TgC-PGiJknH3IBiS4JLkP0a8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" 286 0.002 [kube-lego-kube-lego-nginx-8080] 100.96.5.5:8080 87 0.002 200 I0811 08:12:25.542595 5 backend_ssl.go:64] adding secret test-service/test-service-tls to the local store 61.216.14.176 - [61.216.14.176] - - [11/Aug/2017:08:21:01 +0000] "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" 400 173 "-" "-" 0 0.181 [] - - - - 61.216.14.176 - [61.216.14.176] - - [11/Aug/2017:08:27:14 +0000] "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" 400 173 "-" "-" 0 0.000 [] - - - -

once I reload nynix service, its running successfully in browser,

Could you please let us know how we avoid to reload ngnix service everytime, is any thing can we add in any configuration (either ngnix controller or kube-lego) to reload ngnix controller,

2: if I use Ngnix controller 1.6 (which have RBAC stuff). some time I am not able to create secret.(by nginx-tls.yaml). when I run nginx-tls.yaml it successfully created but secrets are not showing in kubernetes UI and console (kubectl get ing --all-namespaces). Please do needful.

munnerz commented 7 years ago

Hi @naveeng68

I'm not 100% certain about your issues with the nginx ingress controller, but I think there was an early beta version of the newest version that did have problems reloading TLS certificates/noticing changes. Make sure you're on the latest version of the nginx-ingress controller (found here: https://github.com/kubernetes/ingress/tree/master/controllers/nginx), and if you are still running into issues then please open an issue on that repository. This repo is specifically for support for kube-lego, and we unfortunately cannot provide support for the various different ingress controllers that kube-lego works with!

naveeng68 commented 7 years ago

We’re currently trying to get TLS setup for the nginx-ingress-controller, where the SSL certs are provided by Let’s Encrypt and we’re using kube-lego to retrieve the certs and setup the secrets automatically. We’re seeing the secrets get created successfully, but nginx-ingress-controller isn’t picking them up until we restart it’s pod(s). Is there a flag we need to set with the nginx-ingress-controller to get it to automatically pickup the secrets periodically? Or is this a bug?