kube100
kube100 copied to clipboard
Express js example not working with letsencrypt
What i have done. Following the guide here: https://www.civo.com/learn/get-a-tls-certificate-for-your-application-with-jetstack-s-cert-manager
cd /tmp
git clone https://github.com/alexellis/expressjs-k8s
cd expressjs-k8s
kubectl apply -f ./yaml/dep.yaml
kubectl apply -f ./yaml/svc.yaml
echo "apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: expressjs
annotations:
kubernetes.io/tls-acme: \"true\"
cert-manager.io/issuer: letsencrypt-pro
kubernetes.io/ingress.class: \"traefik\"
spec:
tls:
- hosts:
- expressjs.example.com
secretName: expressjs-secret
rules:
- host: expressjs.example.com
http:
paths:
- backend:
service:
name: expressjs
port:
number: 8080
path: /
pathType: Prefix" > /tmp/expressjs-k8s/ingress.yml
kubectl apply -f /ingress.yml
example.com is replaced on my local machine. Cert-manager is installed and the letsencrypt-pro issuer does exist on my cluster as a ClusterIssuer.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"cert-manager.io/v1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-pro"},"spec":{"acme":{"email":"[email protected]","privateKeySecretRef":{"name":"letsencrypt-pro"},"server":"https://acme-v02.api.letsencrypt.org/directory","solvers":[{"http01":{"ingress":{"class":"traefik"}},"selector":{}}]}}}
creationTimestamp: "2021-07-09T06:47:05Z"
generation: 1
name: letsencrypt-pro
resourceVersion: "1012"
uid: b93d1b59-f21b-4183-b6e8-f6386993ae0d
spec:
acme:
email: [email protected]
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-pro
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: traefik
selector: {}
status:
acme:
lastRegisteredEmail: [email protected]
uri: https://acme-v02.api.letsencrypt.org/acme/acct/129907932
conditions:
- lastTransitionTime: "2021-07-09T06:47:07Z"
message: The ACME account was registered with the ACME server
observedGeneration: 1
reason: ACMEAccountRegistered
status: "True"
type: Ready
I would expect this to work now but i get errors in traefik pod that secret did not get found. As you see the secret traefik is trying to find is exactly the one configured in the ingress. But the secret itself has an additional number in the name. I think thats why it does not get found. Looks like cert-manager is generating the secret with a "wrong" name of traefik does not search for it the right way.
{"level":"error","msg":"Error configuring TLS for ingress default/expressjs: secret default/expressjs-secret does not exist","time":"2021-07-09T07:10:52Z"}
# secret
expressjs-secret-qgxcm Opaque 1 9m11s