1

Digging into www, didn't found an answer: I want to know how I can use cert-manager with haproxy-ingress and lets encrypt.

Any documentation / guidelines?

PsySkeletor
  • 45
  • 8

2 Answers2

3

  1. Deploy Certmanager with:

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml

  2. Deploy a ClusterIssuer (cluster issuers are namespace agnostic)

cat > prod-issuer.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: haproxy
EOF

Apply the cluster issuer with kubectl apply -f prod-issuer.yaml

  1. Create an Ingress Resource (namespace gnostic, this example is using Nginx backend service)
cat > nginx-ingress.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-router
  namespace: production
  annotations:
    kubernetes.io/ingress.class: "haproxy"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: nginx-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - pathType: ImplementationSpecific
        path: "/"
        backend:
          service:
            name: nginx
            port: 
              number: 80
  - host: www.example.com
    http:
      paths:
      - pathType: ImplementationSpecific
        path: "/"
        backend:
          service:
            name: nginx
            port: 
              number: 80
EOF

Apply the ingress recourse with kubectl apply -f nginx-ingress.yaml

The important piece of information here, is that the Haproxy controller does NOT need the annotation acme.cert-manager.io/http01-edit-in-place: "true" that nginx-ingress controller does. It works as expected without any extra annotations. When you apply the Ingress Resourse to the cluster, the certificate will be issued in 1-2 minutes tops. Use kubectl describe certificate nginx-tls-secret -n production to check the status of the certificate, and look at the event to get the certificate.

For more debugging info incase something went wrong, refer here https://cert-manager.io/docs/faq/acme/

Skeptic
  • 1,254
  • 14
  • 18
1

you can try installing cert manager provided by jetstack, can be found here and then you need to follow the steps mentioned in this stackoverflow post and this will get things sorted for you.

An internal acme-challenge will be done by cert manager and once you patch the secret name, mentioned in the certificate to the TLS of ingress then certificate status will get ready state, Note that the secret will get created automatically, you need not create it

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18