Kubernetes Let's Encrypt Certificate Not Issuing

0
votes

I've done all required configurations as below to get certificate from letsencrypt in kubernetes, however I cannot see any certificate issued.

  • Nginx-ingress install using helm

helm install my-nginx-ingress stable/nginx-ingress --set controller.publishService.enabled=true

  • Cert-manager installation
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm install my-cert-manager --namespace spinnaker jetstack/cert-manager --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer
  • ClusterIssuer
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
  • Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: spinnaker-ingress
  namespace: spinnaker
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - SpinnakerApiDomain
    - SpinnakerDeckDomain
    secretName: spinnaker
  rules:
  - host: SpinnakerApiDomain
    http:
      paths:
      - backend:
          serviceName: spin-gate
          servicePort: 8084
  - host: SpinnakerDeckDomain
    http:
      paths:
      - backend:
          serviceName: spin-deck
          servicePort: 9000

I'm following these document:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-on-digitalocean-kubernetes-using-helm

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-cd-pipeline-with-spinnaker-on-digitalocean-kubernetes

I've gone through other URLs as well which has same steps but when I do kubectl get certificates --all-namespaces I cannot see any certificate issued.

Basically I'm configuring Spinnaker behind HTTPS.

Please advise. Thanks.

1
kuberneteslets-encryptkubernetes-ingressnginx-ingressspinnaker
What have you specified as secretName in your ingress yaml?Arghya Sadhu
@Arghya Sandhu secretName I've given as "spinnaker".Jaydeep Soni
Did you create your tls secret like this: kubernetes.github.io/ingress-nginx/user-guide/tls/#tlshttps?Mariusz K.
@KFC_ No I haven't, I thought so to create but that step is not mentioned in the URL I followed, however let me try once and see how does that go. Thanks.Jaydeep Soni
I have the exact same issue, with the exact same tutorial, how were you able to solve it?E-Kami

1 Answers

0
votes

When you want to use your own self-signed certificate for Ingress, you have to create TLS secret.

First you have to generate self-signed certificate and private key, for example:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -subj "/CN=${HOST}/O=${HOST}"

It will prompt you for few things, like Country Name or State but you can just hit Enter to accept defaults.

Then create your tls secret:

kubectl create secret tls <secret_name> --key key.pem --cert cert.pem

Then you can use it in your Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: spinnaker-ingress
  namespace: spinnaker
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - SpinnakerApiDomain
    - SpinnakerDeckDomain
    secretName: <secret_name>
  rules:
  - host: SpinnakerApiDomain
    http:
      paths:
      - backend:
          serviceName: spin-gate
          servicePort: 8084
  - host: SpinnakerDeckDomain
    http:
      paths:
      - backend:
          serviceName: spin-deck
          servicePort: 9000