search

jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

Kube-Lego doesn't create service #264

Open polonel opened 6 years ago

polonel commented 6 years ago

Environment Tectonic Cluster 1.7.3-tectonic.3 Kubernetes 1.7.3+tectonic.3

When deploying Kube-Lego using helm with the rbac.create=true flag; I can see that the deployment is created and the role, role bindings, and service accounts are created with the create permissions.

However the kube-lego pod never seems to create the required service or update the ingresses. Thus filling the kube-lego with...

time="2017-10-23T04:08:33Z" level=info msg="kube-lego 0.1.6-dev-784fc8fe starting" context=kubelego 
time="2017-10-23T04:08:33Z" level=info msg="connecting to kubernetes api: https://10.3.0.1:443" context=kubelego 
time="2017-10-23T04:08:33Z" level=info msg="successfully connected to kubernetes api v1.7.3+coreos.0" context=kubelego 
time="2017-10-23T04:08:33Z" level=debug msg="start watching ingress objects" context=kubelego 
time="2017-10-23T04:08:33Z" level=info msg="server listening on http://:8080/" context=acme 
time="2017-10-23T04:08:33Z" level=debug msg="CREATE ingress/trudesk-cloud/tdcloud" context=kubelego 
time="2017-10-23T04:08:33Z" level=debug msg="worker: begin processing true" context=kubelego 
time="2017-10-23T04:08:33Z" level=info msg="ignoring as has no annotation 'kubernetes.io/tls-acme'" context=ingress name=tectonic-ingress namespace=tectonic-system 
time="2017-10-23T04:08:33Z" level=info msg="ignoring as has no annotation 'kubernetes.io/tls-acme'" context=ingress name=tectonic-monitoring-ingress namespace=tectonic-system 
time="2017-10-23T04:08:33Z" level=debug msg=reset context=provider provider=nginx 
time="2017-10-23T04:08:33Z" level=debug msg=finalize context=provider provider=nginx 
time="2017-10-23T04:08:33Z" level=info msg="disable provider no TLS hosts found" context=provider provider=nginx 
time="2017-10-23T04:08:33Z" level=info msg="process certificate requests for ingresses" context=kubelego 
time="2017-10-23T04:08:33Z" level=info msg="Attempting to create new secret" context=secret name=tdcloud-tls-cert namespace=trudesk-cloud 
time="2017-10-23T04:08:33Z" level=info msg="no cert associated with ingress" context="ingress_tls" name=tdcloud namespace=trudesk-cloud 
time="2017-10-23T04:08:33Z" level=info msg="requesting certificate for cloud.trudesk.io" context="ingress_tls" name=tdcloud namespace=trudesk-cloud 
time="2017-10-23T04:08:33Z" level=debug msg="testing reachability of http://cloud.trudesk.io/.well-known/acme-challenge/_selftest" context=acme domain=cloud.trudesk.io 
time="2017-10-23T04:08:36Z" level=debug msg="error while authorizing: waiting for authorization failed: acme: identifier authorization failed" context=acme domain=cloud.trudesk.io 
time="2017-10-23T04:08:36Z" level=debug msg="testing reachability of http://cloud.trudesk.io/.well-known/acme-challenge/_selftest" context=acme domain=cloud.trudesk.io 
time="2017-10-23T04:08:38Z" level=debug msg="error while authorizing: waiting for authorization failed: acme: identifier authorization failed" context=acme domain=cloud.trudesk.io 
time="2017-10-23T04:08:39Z" level=debug msg="testing reachability of http://cloud.trudesk.io/.well-known/acme-challenge/_selftest" context=acme domain=cloud.trudesk.io 
time="2017-10-23T04:08:41Z" level=debug msg="error while authorizing: waiting for authorization failed: acme: identifier authorization failed" context=acme domain=cloud.trudesk.io 
time="2017-10-23T04:08:43Z" level=debug msg="testing reachability of http://cloud.trudesk.io/.well-known/acme-challenge/_selftest" context=acme domain=cloud.trudesk.io

The helm command used to deploy kube-lego is as follows:

helm install \
--set=config.LEGO_EMAIL=${LEGO_EMAIL} \
--set=config.LEGO_URL="https://acme-staging.api.letsencrypt.org/directory" \
--set=config.LEGO_DEFAULT_INGRESS_CLASS=tectonic \
--set=config.LEGO_SUPPORTED_INGRESS_CLASS=tectonic \
--set=config.LEGO_SUPPORTED_INGRESS_PROVIDER=nginx \
--set=config.LEGO_LOG_LEVEL=debug \
--set=rbac.create=true \
--set=image.tag=canary \
--name=tectonic \
--namespace=kube-system \
stable/kube-lego

I'm not sure if I'm over looking something, as there is not much information on getting this to work with a tectonic cluster. Any insight?

tlyng commented 6 years ago

I'm having similar issues when supplying custom ingress classes, works fine when not specifying default ingress class, supported ingress class and provider

eversC commented 6 years ago

I was having the same issue, and after much code trawling I finally found an annotation that's used to specify the ingress provider: "kubernetes.io/ingress.provider"

..which led me to: https://github.com/jetstack/kube-lego/issues/189#issuecomment-313139616

I added that annotation (with value "nginx" ) to my nginx ingress, and it started working. I haven't tried multiple ingress classes yet