0

Having the following k8s config:

---
kind: Namespace
apiVersion: v1
metadata:
  name: test
  labels:
    name: test

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: test
  name: test-depl
spec:
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      containers:
        - name: test-app
          image: jfsanchez91/http-test-server

---
apiVersion: v1
kind: Service
metadata:
  namespace: test
  name: test-svc
spec:
  selector:
    app: test-app
  ports:
  - name: test-app
    protocol: TCP
    port: 80
    targetPort: 8090

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  namespace: test
  name: letsencrypt-cert-issuer-test-staging
spec:
  acme:
    email: email@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-cert-issuer-test-staging
    solvers:
    - http01:
        ingress:
          class: public

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  namespace: test
  name: letsencrypt-cert-issuer-test-prod
spec:
  acme:
    email: email@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-cert-issuer-test-prod
    solvers:
    - http01:
        ingress:
          class: public

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: test
  name: ingress-routes
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-cert-issuer-test-prod"
spec:
  tls:
  - hosts:
    - test.example.com
    secretName: tls-secret
  rules:
  - host: test.example.com
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: test-svc
              port:
                number: 80

The Let's Encrypt certificate is being issued and stored in tls-secret correctly. But then when I try to open test.example.com I get an invalid certificate (the K8s default certificate) NET::ERR_CERT_AUTHORITY_INVALID.

Common Name (CN):   Kubernetes Ingress Controller Fake Certificate
Organization (O):   Acme Co

Q: How can I configure Ingress correctly to use the Let's Encrypt certificate?

Q: Is there anything else I should configure?

UPDATE: tls-secret type (kubernetes.io/tls):

$ kubectl -n test describe secrets tls-secret
Name:         tls-secret
Namespace:    test
Labels:       <none>
Annotations:  cert-manager.io/alt-names: test.example.com
              cert-manager.io/certificate-name: tls-secret
              cert-manager.io/common-name: test.example.com
              cert-manager.io/ip-sans: 
              cert-manager.io/issuer-group: cert-manager.io
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: letsencrypt-cert-issuer-test-prod
              cert-manager.io/uri-sans: 

Type:  kubernetes.io/tls

Data
====
tls.key:  1679 bytes
tls.crt:  5599 bytes
Jorge F. Sanchez
  • 321
  • 4
  • 17

1 Answers1

0

I'd recommand setting the certificate your self in order to have more control on subdomains to include and renewal policy

kubectl -n $NAMESPACE apply -f certificate.yaml

For example, for a DNS hosted on Azure DNS zone

#certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-wildcard
spec:
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  secretName: cert-wildcard
  issuerRef: #from issuer.yaml
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: domain.com # go to domaine, go to certificate, go to Details, go to Common Name
  dnsNames: #list of all different domains associeted with the certificate
    - domain.com
    - sub.domain.com
  acme:
    config:
      - dns01:
          provider: azure-dns
        domains:
          - domain.com
          - sub.domain.com
Reda E.
  • 653
  • 3
  • 16