I'm trying to get a kubernetes cluster using the nginx ingress controller and cert manager to get an SSL cert from lets encrypt. Currently is appears the cert has been issued however I am unable to get it to load properly inside Chrome or via curl.
Below are some config files that show the current config and following that some describes.
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: cert-manager-prod
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: letsencrypt-prod
namespace: cert-manager-prod
spec:
commonName: me@example.com <- This is not actually what I have just for example reasons
secretName: letsencrypt-prod-tls
issuerRef:
name: letsencrypt-prod
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
# add an annotation indicating the issuer to use.
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# needed to allow the front end to talk to the back end
nginx.ingress.kubernetes.io/cors-allow-origin: "https://portal.<domain>.com"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, PUT, POST, DELETE, PATCH, OPTIONS"
# needed for monitoring - maybe
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
#for nginx ingress controller
ad.datadoghq.com/nginx-ingress-controller.check_names: '["nginx","nginx_ingress_controller"]'
ad.datadoghq.com/nginx-ingress-controller.init_configs: '[{},{}]'
ad.datadoghq.com/nginx-ingress-controller.instances: '[{"nginx_status_url": "http://%%host%%:18080/nginx_status"},{"prometheus_url": "http://%%host%%:10254/metrics"}]'
ad.datadoghq.com/nginx-ingress-controller.logs: '[{"service": "controller", "source":"nginx-ingress-controller"}]'
name: prod-ingress
namespace: production
spec:
rules:
- host: api.<domain>.com
http:
paths:
- backend:
serviceName: api
servicePort: 8090
path: /
tls: # < placing a host in the TLS config will indicate a certificate should be created
- hosts:
- api.<domain>.com
secretName: prod-ingress-cert # < cert-manager will store the created certificate in this secre
me@LAPTOP-LINUX:~/Projects/k8/tmp$ kubectl get certificates
NAME READY SECRET AGE
prod-ingress-cert False prod-ingress-cert 30m
Name: prod-ingress-cert
Namespace: production
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2020-01-26T21:29:07Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: prod-ingress
UID: adec15ea-4cde-4376-8e6a-306586e57119
Resource Version: 2780
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/production/certificates/prod-ingress-cert
UID: c86bf4aa-8435-4da0-a822-1a0e9d1df38e
Spec:
Dns Names:
api.<domain>.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: prod-ingress-cert
Status:
Conditions:
Last Transition Time: 2020-01-26T21:29:07Z
Message: Waiting for CertificateRequest "prod-ingress-cert-1024021523" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 30m cert-manager Generated a new private key
Normal Requested 30m cert-manager Created new CertificateRequest resource "prod-ingress-cert-1024021523"
That's everything I can think of that might be of use in resolving this issue. I should note I have a similar setup running on development (well did till I took the cluster down today) that is/was working.
