Kubernetes/Ingress Nginx/Cert Manager certificates have namespaces?

1
votes

I am trying to deploy the "cert-manager" (https://github.com/jetstack/cert-manager) project which is the successor to "kube-lego". I'm finding that the certificates don't match what is being created, and I'm wondering if anybody else has tried this before.

I am creating a tls secretName with "monitoring-xxx-com", and in the ingress-nginx logs I find that it's trying to search for namespace/monitoring-xxx-com and not finding what it expects.

I am wondering whether this is because ingress-nginx is trying to use the pods namespace automatically and cert-manager is creating certs without a namespace, therefore that's why the cert can never be found.

error obtaining PEM from secret kube-system/monitoring-xxx-com: error 
retrieving secret kube-system/monitoring-xxx-com: secret kube-
system/monitoring-xxx-com was not found

and in the certificate created by "cert-manager":

Issuer Ref:
  Kind:       ClusterIssuer
  Name:       letsencrypt-staging
Secret Name:  monitoring-xxx-com
1
sslnginxkubernetescert-managerkube-lego

1 Answers

0
votes

The secret and the nginx ingress controller are in a different namespace, there is an option where you can set the certificate from another namespace.

https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/cli-arguments.md

--default-ssl-certificate string    Name of the secret
    that contains a SSL certificate to be used as default for a HTTPS catch-all server.
    Takes the form <namespace>/<secret name>.

To find the namespace of your secret:

kubectl describe secrets/monitoring-xxx-com

Using the default-ssl-certificate in the deployment template

spec: 
  template: 
    spec: 
      containers: 
        - args: 
            - /nginx-ingress-controller
            - "--default-backend-service=$(POD_NAMESPACE)/default-http-backend"
            - "--default-ssl-certificate=$(POD_NAMESPACE)/tls-certificate"