ollystephens / acme-kong-kube-helper Goto Github PK
View Code? Open in Web Editor NEWA kong-ingress-controller helper utility (needed short-term)
License: Apache License 2.0
A kong-ingress-controller helper utility (needed short-term)
License: Apache License 2.0
In first instance, thanks for this helper. It is very useful whereas cert-manager work in his feature to solve this inconvenient. cert-manager/cert-manager#1097
Your helper solved the http01
validation problem in staging environment, and all it's works.
When the http01
validation to be performed, is necessary to use the letsencrypt production
environment to get the https
encryption.
It's works https://test1kongletsencrypt.possibilit.nl/index.html
The order was validated and the challenge looks like if were completed
⟩ kubectl get order
NAME STATE AGE
letsencrypt-prod-xxxxx valid 3m
challenges:
- authzURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxxxxxxx
config:
http01:
ingressClass: kong
dnsName: test1kongletsencrypt.possibilit.nl
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
key: -xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
token: -xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
type: http-01
url: https://acme-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxxxxxxxxxxxxxxxxxxx
wildcard: false
finalizeURL: https://acme-v02.api.letsencrypt.org/acme/finalize/xxxxxxxxxxxxxxxxxxxxxxxxxx
state: valid
url: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxx/xxxxxx
Now I have https enabled, the logs of my kong-proxy are:
kubectl logs service/kong-proxy -n kong
0.244.4.1 - - [21/Mar/2019:10:47:49 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 404 19 "-" "Go-http-client/1.1"
10.244.4.1 - - [21/Mar/2019:10:47:59 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 404 19 "-" "Go-http-client/1.1"
10.244.4.1 - - [21/Mar/2019:10:48:09 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 404 19 "-" "Go-http-client/1.1"
2019/03/21 10:49:18 [error] 36#0: *2463556 upstream timed out (110: Operation timed out) while connecting to upstream, client: 10.244.4.1, server: kong, request: "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1", upstream: "http://10.244.4.22:8089/.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk", host: "test1kongletsencrypt.possibilit.nl"
2019/03/21 10:49:33 [error] 36#0: *2463556 connect() failed (113: Host is unreachable) while connecting to upstream, client: 10.244.4.1, server: kong, request: "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1", upstream: "http://10.244.4.22:8089/.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk", host: "test1kongletsencrypt.possibilit.nl"
10.244.4.1 - - [21/Mar/2019:10:49:33 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 502 69 "-" "Go-http-client/1.1"
10.244.4.1 - - [21/Mar/2019:10:49:45 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2019/03/21 10:49:50 [error] 36#0: *2463974 [lua] balancer.lua:569: on_target_event(): target create: upstream not found for e336b015-24c8-4d1f-84f0-76a8c6519acc, context: ngx.timer
2019/03/21 10:49:51 [error] 37#0: *2463979 [lua] balancer.lua:569: on_target_event(): target create: upstream not found for e336b015-24c8-4d1f-84f0-76a8c6519acc, context: ngx.timer
10.240.0.6 - - [21/Mar/2019:10:52:56 +0000] "GET /index.html HTTP/1.1" 200 4729 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36"
2019/03/21 10:52:56 [warn] 36#0: *2464780 an upstream response is buffered to a temporary file /usr/local/kong/proxy_temp/2/14/0000000142 while reading upstream, client: 10.240.0.6, server: kong, request: "GET /swagger-ui.css HTTP/1.1", upstream: "http://10.244.4.4:5000/swagger-ui.css", host: "test1kongletsencrypt.possibilit.nl", referrer: "https://test1kongletsencrypt.possibilit.nl/index.html"
2019/03/21 10:52:56 [warn] 36#0: *2464783 an upstream response is buffered to a temporary file /usr/local/kong/proxy_temp/3/14/0000000143 while reading upstream, client: 10.240.0.7, server: kong, request: "GET /swagger-ui-bundle.js HTTP/1.1", upstream: "http://10.244.4.4:5000/swagger-ui-bundle.js", host: "test1kongletsencrypt.possibilit.nl", referrer: "https://test1kongletsencrypt.possibilit.nl/index.html"
10.240.0.6 - - [21/Mar/2019:10:52:56 +0000] "GET /swagger-ui.css HTTP/1.1" 200 153554 "https://test1konglet
but when I check the logs of my kong-ingress-controller I can see:
kubectl logs pod/kong-ingress-controller-7b6d8fff97-dqhqx -n kong -c ingress-controller
I0321 13:38:18.111716 6 controller.go:128] syncing Ingress configuration...
E0321 13:38:18.112283 6 kong.go:1142] Unexpected response searching a Kong Certificate: Get http://localhost:8001/certificates/xxxxxxx: dial tcp 127.0.0.1:8001: connect: connection refused
E0321 13:38:18.112381 6 controller.go:131] unexpected failure updating Kong configuration:
Get http://localhost:8001/certificates/xxxx: dial tcp 127.0.0.1:8001: connect: connection refused
W0321 13:38:18.112426 6 queue.go:113] requeuing kong/kong-ingress-controller, err Get http://localhost:8001/certificates/xxxxxx: dial tcp 127.0.0.1:8001: connect: connection refused
I0321 13:38:21.445027 6 controller.go:128] syncing Ingress configuration...
I0321 13:38:21.558617 6 kong.go:1075] cert: xxxxx
I0321 13:38:21.906269 6 kong.go:113] syncing global plugins
W0321 13:38:22.052754 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:38:22.148100 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 13:57:46.099361 6 controller.go:128] syncing Ingress configuration...
I0321 13:57:46.099376 6 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"kong-ingress-zcrm365", UID:"61cfae03-4bc6-11e9-a113-e27267a7d354", APIVersion:"extensions", ResourceVersion:"1737014", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/kong-ingress-zcrm365
I0321 13:57:47.109286 6 kong.go:1075] cert: 0xc00028d9a0
I0321 13:57:47.359356 6 kong.go:113] syncing global plugins
W0321 13:57:47.512055 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:57:47.620555 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 13:59:15.951895 6 controller.go:128] syncing Ingress configuration...
I0321 13:59:17.007628 6 kong.go:1075] cert: 0xc0002d9de0
I0321 13:59:17.278458 6 kong.go:113] syncing global plugins
W0321 13:59:17.409185 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:59:17.501766 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 13:59:19.285339 6 controller.go:128] syncing Ingress configuration...
I0321 13:59:19.309961 6 kong.go:1075] cert: 0xc000467aa0
I0321 13:59:19.435868 6 kong.go:113] syncing global plugins
W0321 13:59:19.440702 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:59:19.469779 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:01:56.639413 6 controller.go:128] syncing Ingress configuration...
I0321 14:01:57.721909 6 kong.go:1075] cert: 0xc0004149d0
I0321 14:01:58.075285 6 kong.go:113] syncing global plugins
W0321 14:01:58.411690 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:01:58.502241 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:02:05.631933 6 controller.go:128] syncing Ingress configuration...
I0321 14:02:10.656147 6 kong.go:1075] cert: 0xc0002d9f40
I0321 14:02:11.404879 6 kong.go:113] syncing global plugins
W0321 14:02:11.636497 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:02:11.730037 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:04:06.613439 6 controller.go:128] syncing Ingress configuration...
I0321 14:04:07.724478 6 kong.go:1075] cert: 0xc000247f00
I0321 14:04:08.020591 6 kong.go:113] syncing global plugins
W0321 14:04:08.220507 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:04:08.321211 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:04:15.613841 6 controller.go:128] syncing Ingress configuration...
I0321 14:04:16.638482 6 kong.go:1075] cert: 0xc000047b50
I0321 14:04:16.901985 6 kong.go:113] syncing global plugins
W0321 14:04:17.070157 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:04:17.153808 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:09:15.952353 6 controller.go:128] syncing Ingress configuration...
I0321 14:09:16.699389 6 kong.go:1075] cert: 0xc000247d90
I0321 14:09:18.207881 6 kong.go:113] syncing global plugins
W0321 14:09:18.930252 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:09:19.014756 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:09:19.285693 6 controller.go:128] syncing Ingress configuration...
I0321 14:09:19.313476 6 kong.go:1075] cert: 0xc0002d99f0
I0321 14:09:19.443502 6 kong.go:113] syncing global plugins
W0321 14:09:19.448412 6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:09:19.477150 6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I am not sure why happens this, I would like to you share my kong-ingress-zcrm365
ingress resource, is this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kong-ingress-zcrm365
#namespace: default
annotations:
# kubernetes.io/ingress.class: "nginx" #
kubernetes.io/ingress.class: "kong"
# certmanager.k8s.io/issuer: "letsencrypt-prod" #"letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/acme-http01-edit-in-place: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod # letsencrypt-staging
spec:
rules:
- host: test1kongletsencrypt.possibilit.nl
http:
paths:
- path: "/"
backend:
serviceName: zcrm365dev
servicePort: 80
tls:
- hosts:
- test1kongletsencrypt.possibilit.nl
secretName: letsencrypt-prod # letsencrypt-staging
I am not sure about what of all these annotations included are necessary, but currently, my service, which is a Swagger API URL is referencing a problem with kong in relation to error 500
Do you know how to can I start to debug the problem?
Hello,
To tackle this problem, Kong Ingress Controller sets preserve_host
to true
by default and hence thing should work.
Could you try to use that and update this repository?
When I have applied acme-kong-kube-helper
some weeks ago, I can see in my kong-ingress- controller
the following, indicating that the helper works to perform the tls handshake:
⟩ kubectl logs pods/kong-ingress-controller-7b6d8fff97-dqhqx -n kong -c acme-kong-kube-helper
2019/03/21 10:48:18 Matching ingress added: cm-acme-http-solver-9qk9l
2019/03/21 10:48:18 path /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk
2019/03/21 10:48:28 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:28 successfully patched kong route: ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:39 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:39 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:48:49 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:49 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:48:59 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:59 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:08 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:08 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:18 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:18 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:29 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:29 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:39 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:39 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:50:08 mission accomplished for path /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk
[I]
~
And now since some days when I have applied it, I can't see this same behavior in my kong-ingress- controller
when I request the logs of acme-kong-kube-helper
container. Instead, I don't get any logs such as I shown here:
⟩ k logs pod/kong-ingress-controller-754d5dcf55-rj7zb -n kong -c acme-kong-kube-helper
[I]
Instead, when I have created the ingress resource and I have requested the logs of my kong-ingress- controller
associating my kong-ingress- controller
container, I can see the following related to acme-kong-kube-helper
that does not appear before. Is this:
I0408 09:55:49.636266 6 controller.go:128] syncing Ingress configuration...
I0408 09:55:49.646791 6 kong.go:1075] cert: 0xc000046180
I0408 09:55:50.064447 6 kong.go:113] syncing global plugins
I0408 09:55:50.102665 6 kong.go:549] deleting Kong Service default.cm-acme-http-solver-27plz.8089
I0408 09:55:50.313923 6 kong.go:805] updating Kong Route for host _, path /priva and service 0xc00023a500
I0408 09:55:50.549357 6 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"zcrm365-sandbox-ingress", UID:"f27ff38b-59e3-11e9-8b93-de0f49f53bf8", APIVersion:"extensions", ResourceVersion:"391234", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/zcrm365-sandbox-ingress
I0408 09:55:50.567904 6 kong.go:918] deleting Kong Route c93ba320-ed9e-4e4c-b02d-76535d371c6e
I0408 09:55:52.969573 6 controller.go:128] syncing Ingress configuration...
I0408 09:55:53.910110 6 kong.go:1133] creating Kong SSL Certificate for host zcrm365sand.possibilit.nl located in Secret default/
I0408 09:55:54.223216 6 kong.go:1165] creating Kong SNI for host zcrm365sand.possibilit.nl and certificate id 0xc000265960
I0408 09:55:54.267353 6 kong.go:1075] cert: 0xc000047620
I0408 09:55:54.445856 6 kong.go:1027] creating Kong Upstream with name default.cm-acme-http-solver-27plz.8089
I0408 09:55:54.562474 6 kong.go:241] creating Kong Target 10.244.0.14:8089 for upstream 4d43dc23-82f1-4da8-b8e8-5d8694ad557a
I0408 09:55:54.788418 6 kong.go:113] syncing global plugins
I0408 09:55:55.046332 6 kong.go:777] creating Kong Route for host zcrm365sand.possibilit.nl, path /.well-known/acme-challenge/38MK5-Ms72R6_I8GenCDaEsVrcT1w_xDmY04By9cpf0 and service 6f8de943-ad4d-4226-9665-390ac2e28573
W0408 09:56:13.987388 6 controller.go:387] service default/cm-acme-http-solver-27plz does not have any active endpoints
I0408 10:00:55.145266 6 controller.go:128] syncing Ingress configuration...
I0408 10:00:56.398897 6 kong.go:113] syncing global plugins
I0408 10:00:56.621720 6 kong.go:777] creating Kong Route for host _, path / and service c1c4b79a-cab2-44ee-a1bf-40547b72a8e5
I0408 10:00:56.992052 6 kong.go:918] deleting Kong Route be7712e1-d7db-41be-a13a-85dd7f37d651
I0408 10:00:58.478690 6 controller.go:128] syncing Ingress configuration...
I0408 10:00:58.612291 6 kong.go:113] syncing global plugins
I0408 10:00:58.655929 6 kong.go:805] updating Kong Route for host _, path / and service 0xc00023a060
[I]
My letsencrypt-staging certificate and order were validated
⟩ k get order
NAME STATE AGE
letsencrypt-staging-3060892365 valid 28m
[I]
⟩ kd certificate letsencrypt-staging
Name: letsencrypt-staging
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-04-08T09:51:57Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: zcrm365-sandbox-ingress
UID: f27ff38b-59e3-11e9-8b93-de0f49f53bf8
Resource Version: 391307
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/letsencrypt-staging
UID: f2826f7b-59e3-11e9-8b93-de0f49f53bf8
Spec:
Acme:
Config:
Domains:
zcrm365sand.possibilit.nl
Http 01:
Ingress: zcrm365-sandbox-ingress
Dns Names:
zcrm365sand.possibilit.nl
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-staging
Secret Name: letsencrypt-staging
Status:
Conditions:
Last Transition Time: 2019-04-08T09:56:15Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-07-07T08:56:14Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 29m cert-manager Generated new private key
Normal GenerateSelfSigned 29m cert-manager Generated temporary self signed certificate
Normal OrderCreated 29m cert-manager Created Order resource "letsencrypt-staging-3060892365"
Normal OrderComplete 25m cert-manager Order "letsencrypt-staging-3060892365" completed successfully
Normal CertIssued 25m cert-manager Certificate issued successfully
[I]
And cert-manager take the order and perform the tls handhake with letsencrypt
⟩ k logs pod/cert-manager-6f68b58796-l7kwf -n cert-manager
I0408 09:56:14.647462 1 logger.go:43] Calling GetOrder
I0408 09:56:15.305723 1 controller.go:190] orders controller: Finished processing work item "default/letsencrypt-staging-3060892365"
I0408 09:56:15.305897 1 controller.go:184] orders controller: syncing item 'default/letsencrypt-staging-3060892365'
I0408 09:56:15.306145 1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-staging'
I0408 09:56:15.306151 1 logger.go:58] Calling FinalizeOrder
I0408 09:56:15.324242 1 sync.go:263] Certificate default/letsencrypt-staging scheduled for renewal in 1438h59m58.675766873s
I0408 09:56:15.324571 1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-staging"
I0408 09:56:15.329486 1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-staging'
I0408 09:56:15.329854 1 conditions.go:143] Found status change for Certificate "letsencrypt-staging" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-04-08 09:56:15.32984867 +0000 UTC m=+69975.057141117
I0408 09:56:15.330060 1 sync.go:263] Certificate default/letsencrypt-staging scheduled for renewal in 1438h59m58.669946428s
I0408 09:56:15.386429 1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-staging"
I0408 09:56:15.386559 1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-staging'
But when I go to my website domain, http://zcrm365sand.possibilit.nl/ the certificates hasn't been signed (in the letsencrypt-staging case) by the FAKE LE Intermediate X1 CA which is the expected result.
When I have changed to letsencrypt-production environment case, I get the same result, the certificates and order were validated by LE production CA and the kong routes and service were created, but I can't get the https encryption.
I am asking about this situation because I have some doubt about why the k logs pod/kong-ingress-controller-754d5dcf55-rj7zb -n kong -c acme-kong-kube-helper
does not return nothing and the kong-ingress-controller container is taking over to create the route here referencing to the cm-acme-http-solver-27plz
pod that was created before in kubernetes :
creating Kong Route for host zcrm365sand.possibilit.nl, path /.well-known/acme-challenge/38MK5-Ms72R6_I8GenCDaEsVrcT1w_xDmY04By9cpf0 and service 6f8de943-ad4d-4226-9665-390ac2e28573
W0408 09:56:13.987388 6 controller.go:387] service default/cm-acme-http-solver-27plz does not have any active endpoints
Does not working my acme-kong-kube-helper
implementation?
I am adding acme-kong-kube-helper
to kong as a third container, according to the instructions.
Or is this behavior related to this issue created?
Create a KongIngress instead of patching the existing Kong route
Although I suppose that at moment has not been merged ...
I have been testing this many times this past week, and I can't get the https encryption using the acme-kong-kube-helper despite that my orders and certificates are validated as a letsencrypt staging and production environments
Because my letsencrypt-staging secret don't get the .crt key
⟩ kd secrets letsencrypt-staging
Name: letsencrypt-staging
Namespace: default
Labels: certmanager.k8s.io/certificate-name=letsencrypt-staging
Annotations: certmanager.k8s.io/alt-names: zcrm365sand.possibilit.nl
certmanager.k8s.io/common-name: zcrm365sand.possibilit.nl
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: ClusterIssuer
certmanager.k8s.io/issuer-name: letsencrypt-staging
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 3574 bytes
tls.key: 1675 bytes
[I]
~/workspace/ZCRM365/Deployments/Kubernetes · (Deployments±)
⟩
Is possible that letsencrypt to be limiting my requests? But I am not sure, because my order is arriving at CA and being validated ...
First, thank you for this helper. Like many, I have issues with Kong and Cert-manager working together so I tried your helper and realised there is no support for RBAC-enabled cluster:
E0321 10:09:23.210174 1 reflector.go:134] app/main.go:87: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list resource "ingresses" in API group "extensions" at the cluster scope
Just a idea, wouldn't it better to create a matching KongIngress resource when a new Ingress is created? That would make it more permanent for Kong and there is no risk of losing the route customization because of outside event.
I'm not familiar enough with Go but I'll look into the code.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.