kube-lego icon indicating copy to clipboard operation
kube-lego copied to clipboard

Published 20 hours ago verified publisher icon jetstack

Impossible to request certificate when ingress for path / exists

Open tobilarscheid opened this issue 7 years ago • 6 comments

Hi everyone,

we just faced the issue that it is impossible to request certificates with kube-lego when another ingress for the path / already exists. The /.well-known/acme path in the ingress created by kube lego is then not reachable. I know this is somewhat a limitation of kubernets-ingress, I was just curious if you guys consider this as a problem or not. In theory it might be possible for kube-legoto detect such situations and temporarily reconfigure the colliding ingress.

Regards,

Tobi

tobilarscheid avatar Jun 01 '17 16:06 tobilarscheid

This shouldn't be the case - the 'longer' (aka more precise) path should be chosen when routing.

What ingress controller are you using?

munnerz avatar Jul 05 '17 17:07 munnerz

We are using the nginx ingress controller.

Why do you think the longer path should be chosen? This issue indicates behaviour in the case of having multiple ingresses for the same host is not defined by the kubernetes docs. Merging usually works fine, in the case I described above however it can become problematic.

tobilarscheid avatar Jul 06 '17 06:07 tobilarscheid

I think the nginx ingresses get priority by name in this case. I worked around this by naming my ingress to something alphabetically later than kube-lego-....

fascinatedcow avatar Jul 06 '17 07:07 fascinatedcow

I reported a possibly similar issue in the ingress project for the nginx controller, if you are using rewrite-target you might be affected by this: https://github.com/kubernetes/ingress/issues/495

ankon avatar Jul 06 '17 08:07 ankon

@fascinatedcow That did not work for me. Did the deployment name also follow kube-lego-...?

Can someone please educate me on how to tell or configure GCE vs Nginx ingress controllers?

paulwalker avatar Oct 07 '17 15:10 paulwalker

I am experiencing the same issue. I have the following ingress for my web (mydomain.com):

...
spec:
  tls:
  - hosts:
    - mydomain.com
    secretName: domain-tls
  rules:
  - host: mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web
          servicePort: 3000

that overrides the one that kube-lego creates (mydomain.com/.well-known/acme-challenge ):

...
spec:
  rules:
  - host: mydomain.com
    http:
      paths:
      - backend:
          serviceName: kube-lego-nginx
          servicePort: 8080
        path: /.well-known/acme-challenge

When I try to access mydomain.com/.well-known/acme-challenge, it takes me to my web instead of kube-legos nginx.

I tried renaming my web's ingress so that alphabetically is before kube-lego's one, but it does not work.

jihonrado avatar Oct 13 '18 12:10 jihonrado