Closed odravison closed 7 years ago
DEPLOYMENTS
env var (rather than the RC one)Your nginx-ssl-proxy is expected to have a target for non-cert-requests to be forwarded to (as in the actual service you're wanting to have secured with https)
- name: SERVICE_HOST_ENV_NAME
value: PLOYST_API_SERVICE_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
value: PLOYST_API_SERVICE_SERVICE_PORT
targetPort
should be an actual port number. At least for me it is. (80 goes to 80, 443 to 443)Awesome observations. I'll try it soon, and will be posted the result here. Good point about divide the files to see which fails. ;) Thanks for help. Thanks a lot!
Hello, i'm sorry about the waiting.
The json error message keeps on the nginx replicationcontroller.
I'm not using deployment. As i'm learning (yet) kubernetes, it's for other day.
Here the nginx-rc.yml:
kind: ReplicationController
apiVersion: v1
metadata:
name: nginx-ssl-proxy-api
labels:
name: nginx-ssl-proxy-api
role: ssl-proxy
spec:
containers:
- name: nginx-ssl-proxy-api
image: ployst/nginx-ssl-proxy:0.0.3
env:
- name: SERVICE_HOST_ENV_NAME
value: MEUOLHAR_BACKEND_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
value: MEUOLHAR_BACKEND_SERVICE_PORT
- name: CERT_SERVICE_HOST_ENV_NAME
value: LETSENCRYPT_SERVICE_SERVICE_HOST
- name: CERT_SERVICE_PORT_ENV_NAME
value: LETSENCRYPT_SERVICE_SERVICE_PORT
ports:
-
name: ssl-proxy-http
containerPort: 80
-
name: ssl-proxy-https
containerPort: 443
The structure appears to be wrong. (see here for an example)
This works:
kind: ReplicationController
apiVersion: v1
metadata:
name: nginx-ssl-proxy-api-rc
labels:
name: nginx-ssl-proxy-rc
role: ssl-proxy
spec:
replicas: 1
selector:
app: nginx-ssl-proxy
mode: blahdeblah
template:
metadata:
labels:
app: nginx-ssl-proxy
mode: blahdeblah
spec:
containers:
- name: nginx-ssl-proxy-api
image: ployst/nginx-ssl-proxy:0.0.5
env:
- name: SERVICE_HOST_ENV_NAME
value: MEUOLHAR_BACKEND_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
value: MEUOLHAR_BACKEND_SERVICE_PORT
- name: CERT_SERVICE_HOST_ENV_NAME
value: LETSENCRYPT_SERVICE_SERVICE_HOST
- name: CERT_SERVICE_PORT_ENV_NAME
value: LETSENCRYPT_SERVICE_SERVICE_PORT
ports:
- name: ssl-proxy-http
containerPort: 80
- name: ssl-proxy-https
containerPort: 443
(note that 0.0.3 is not available on hub.docker.com, so i've altered the config for you to 0.0.5)
Hello, Alex.
I'm sorry about any disturb, but, i'm very very confused with this configuration. Look, I have tried many way to do that. Unfortunately unsuccessful.
I'm trying do this, now:
kind: ReplicationController
apiVersion: v1
metadata:
name: nginx-ssl-proxy-api-rc
labels:
name: nginx-ssl-proxy-rc
role: ssl-proxy
spec:
replicas: 1
selector:
app: nginx-ssl-proxy
mode: prod
template:
metadata:
labels:
app: nginx-ssl-proxy
mode: prod
spec:
containers:
- name: nginx-ssl-proxy-api
image: ployst/nginx-ssl-proxy:0.0.5
env:
- name: SERVICE_HOST_ENV_NAME
value: "XXX.XXX.XXX.XXX"
- name: SERVICE_PORT_ENV_NAME
value: "8080"
- name: CERT_SERVICE_HOST_ENV_NAME
value: LETSENCRYPT_SERVICE_SERVICE_HOST
- name: CERT_SERVICE_PORT_ENV_NAME
value: LETSENCRYPT_SERVICE_SERVICE_PORT
ports:
- name: ssl-proxy-http
containerPort: 80
- name: ssl-proxy-https
containerPort: 443
And, receiving this:
2016/09/09 14:32:36 [emerg] 11#11: invalid port in upstream ":" in /etc/nginx/conf.d/proxy.conf:2 nginx: [emerg] invalid port in upstream ":" in /etc/nginx/conf.d/proxy.conf:2
I think that's a error when you script concat the SERVICE_PORT_ENV_NAME
inside proxy.conf
- name: SERVICE_HOST_ENV_NAME
value: "XXX.XXX.XXX.XXX"
- name: SERVICE_PORT_ENV_NAME
value: "8080"
These values are wrong. If you want to go for that approach, (of hardcoding ip and ports) use TARGET_SERVICE. If not, then these should be the names of envirnonment variables available at runtime to the pod (they are provided by kubernetes. Each service has a port and host env var exposed)
Allright, I got you point.
I'll test and post the result here. Thanks.
Hello, Alex.
After all day, finally works. But, has a little detail. How RUN kubectl commands when the cluster is only access by a key? Your solution preview and are designed to do that? If not, i'll figure out of this problem and contribute with yout solution. Can I do ? Of course, this will be commited on let's encrypt repository.
Thanks in advanced.
@Odravison surprisingly pods seem to be able to run kubectl commands by default.
If you run the following you can see what is going on:
kubectl get pods
kubectl exec -it <lets-encrypt-pod-name> /bin/bash
Now take a look at the crontab that is set up as part of pod bootstrapping:
sudo crontab -l
And try running that command. It should look something like this:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin KUBERNETES_PORT=tcp://10.87.240.1:443 KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_SERVICE_PORT=443 KUBERNETES_SERVICE_HOST=10.87.240.1 KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=10.87.240.1 KUBERNETES_PORT_443_TCP=tcp://10.87.240.1:443 SECRET_NAME=<your-secret-name> NAMESPACE=default DEPLOYMENTS='<deployment_names>' DOMAINS='<domains_you_are_registering>' EMAIL=<email_address> /bin/bash /letsencrypt/refresh_certs.sh
You can also just run kubectl get pods
from within the letsencrypt pod to see things have worked.
Hello, @alexcouper .
This didn't work. The reason is because i'm using a pair key to send commands yo my Kubernetes api. I got it, i did run the kubectl inside letsencrypt pod with my key on a secret. This is more a function that you can increment to this solution. Can i contribute with you doing this increment?
Changing subject, when i don't set 'secret_name' env, the pod create a secret with a name, without 'namespace' env, but, when i set it, the pod use 'namespace' env ,that is 'default' by default... like "default-{domain}" why that?
Thanks.
@Odravison feel free to contribute if you're using some other pair key setup.
Re: secret name. not sure. save_certs should fail when you don't set the SECRET_NAME
env var.
Can you post or send a service and replicationController example of your nginx and letsencrypt?
I'm having got this error message :
unable to decode "./nginx-ssl-proxy-deployment.yml": [pos 128]: json: expect char '"' but got char '{'
That is my RC and SVC .yml of my nginx and letsencrypt:
deployment-files.zip