Open jmn opened 7 years ago
It seems to already do this to a certain extent, but the root seems to hit the default backend, not my app.
Hi @jmn & @bbhoss.
It seem's that the root is the nginx ingress controllers sending you to the default backend unless the tls secrets exists & is propagated for the domain (e.g ratelimiting when it was requested or other failure to request).
I use the following ingress to set a TLS secret on the default backend.
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: default-ingress
namespace: default
annotations:
kubernetes.io/tls-acme: 'false'
kubernetes.io/ingress.class: 'nginx'
spec:
tls:
- secretName: <your tls secret with default ssl cert>
backend:
serviceName: default-http-backend
servicePort: 80
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to jetstack.
/lifecycle stale
If e.g. a domain were to be temporarily rate limited (currently the letsencrypt limit is 20 certs/week) it would be quite neat if kube-lego could be configured to serve the service using a self-signed (staging) cert until it can get a valid cert. Perhaps this is already easily doable?