Code Monkey home page Code Monkey logo

acme-kong-kube-helper's People

Contributors

ollystephens avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

shanoor c45tr0

acme-kong-kube-helper's Issues

kong.go:335 there is no custom Ingress configuration for rule

In first instance, thanks for this helper. It is very useful whereas cert-manager work in his feature to solve this inconvenient. cert-manager/cert-manager#1097

Your helper solved the http01 validation problem in staging environment, and all it's works.

When the http01 validation to be performed, is necessary to use the letsencrypt production environment to get the https encryption.

It's works https://test1kongletsencrypt.possibilit.nl/index.html
The order was validated and the challenge looks like if were completed

⟩ kubectl get order
NAME                          STATE   AGE
letsencrypt-prod-xxxxx   valid   3m

challenges:
  - authzURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxxxxxxx
    config:
      http01:
        ingressClass: kong
    dnsName: test1kongletsencrypt.possibilit.nl
    issuerRef:
      kind: ClusterIssuer
      name: letsencrypt-prod
    key: -xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    token: -xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    type: http-01
    url: https://acme-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxxxxxxxxxxxxxxxxxxx
    wildcard: false
  finalizeURL: https://acme-v02.api.letsencrypt.org/acme/finalize/xxxxxxxxxxxxxxxxxxxxxxxxxx
  state: valid
  url: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxx/xxxxxx

Now I have https enabled, the logs of my kong-proxy are:

kubectl logs service/kong-proxy -n kong

0.244.4.1 - - [21/Mar/2019:10:47:49 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 404 19 "-" "Go-http-client/1.1"
10.244.4.1 - - [21/Mar/2019:10:47:59 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 404 19 "-" "Go-http-client/1.1"
10.244.4.1 - - [21/Mar/2019:10:48:09 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 404 19 "-" "Go-http-client/1.1"
2019/03/21 10:49:18 [error] 36#0: *2463556 upstream timed out (110: Operation timed out) while connecting to upstream, client: 10.244.4.1, server: kong, request: "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1", upstream: "http://10.244.4.22:8089/.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk", host: "test1kongletsencrypt.possibilit.nl"
2019/03/21 10:49:33 [error] 36#0: *2463556 connect() failed (113: Host is unreachable) while connecting to upstream, client: 10.244.4.1, server: kong, request: "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1", upstream: "http://10.244.4.22:8089/.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk", host: "test1kongletsencrypt.possibilit.nl"
10.244.4.1 - - [21/Mar/2019:10:49:33 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 502 69 "-"  "Go-http-client/1.1"
10.244.4.1 - - [21/Mar/2019:10:49:45 +0000] "GET /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2019/03/21 10:49:50 [error] 36#0: *2463974 [lua] balancer.lua:569: on_target_event(): target create: upstream not found for e336b015-24c8-4d1f-84f0-76a8c6519acc, context: ngx.timer
2019/03/21 10:49:51 [error] 37#0: *2463979 [lua] balancer.lua:569: on_target_event(): target create: upstream not found for e336b015-24c8-4d1f-84f0-76a8c6519acc, context: ngx.timer
10.240.0.6 - - [21/Mar/2019:10:52:56 +0000] "GET /index.html HTTP/1.1" 200 4729 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36"
2019/03/21 10:52:56 [warn] 36#0: *2464780 an upstream response is buffered to a temporary file /usr/local/kong/proxy_temp/2/14/0000000142 while reading upstream, client: 10.240.0.6, server: kong, request: "GET /swagger-ui.css HTTP/1.1", upstream: "http://10.244.4.4:5000/swagger-ui.css", host: "test1kongletsencrypt.possibilit.nl", referrer: "https://test1kongletsencrypt.possibilit.nl/index.html"
2019/03/21 10:52:56 [warn] 36#0: *2464783 an upstream response is buffered to a temporary file /usr/local/kong/proxy_temp/3/14/0000000143 while reading upstream, client: 10.240.0.7, server: kong, request: "GET /swagger-ui-bundle.js HTTP/1.1", upstream: "http://10.244.4.4:5000/swagger-ui-bundle.js", host: "test1kongletsencrypt.possibilit.nl", referrer: "https://test1kongletsencrypt.possibilit.nl/index.html"
10.240.0.6 - - [21/Mar/2019:10:52:56 +0000] "GET /swagger-ui.css HTTP/1.1" 200 153554 "https://test1konglet

but when I check the logs of my kong-ingress-controller I can see:

kubectl logs pod/kong-ingress-controller-7b6d8fff97-dqhqx -n kong -c ingress-controller

I0321 13:38:18.111716       6 controller.go:128] syncing Ingress configuration...
E0321 13:38:18.112283       6 kong.go:1142] Unexpected response searching a Kong Certificate: Get http://localhost:8001/certificates/xxxxxxx: dial tcp 127.0.0.1:8001: connect: connection refused
E0321 13:38:18.112381       6 controller.go:131] unexpected failure updating Kong configuration: 
Get http://localhost:8001/certificates/xxxx: dial tcp 127.0.0.1:8001: connect: connection refused
W0321 13:38:18.112426       6 queue.go:113] requeuing kong/kong-ingress-controller, err Get http://localhost:8001/certificates/xxxxxx: dial tcp 127.0.0.1:8001: connect: connection refused
I0321 13:38:21.445027       6 controller.go:128] syncing Ingress configuration...
I0321 13:38:21.558617       6 kong.go:1075] cert: xxxxx
I0321 13:38:21.906269       6 kong.go:113] syncing global plugins
W0321 13:38:22.052754       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:38:22.148100       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 13:57:46.099361       6 controller.go:128] syncing Ingress configuration...
I0321 13:57:46.099376       6 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"kong-ingress-zcrm365", UID:"61cfae03-4bc6-11e9-a113-e27267a7d354", APIVersion:"extensions", ResourceVersion:"1737014", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/kong-ingress-zcrm365
I0321 13:57:47.109286       6 kong.go:1075] cert: 0xc00028d9a0
I0321 13:57:47.359356       6 kong.go:113] syncing global plugins
W0321 13:57:47.512055       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:57:47.620555       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 13:59:15.951895       6 controller.go:128] syncing Ingress configuration...
I0321 13:59:17.007628       6 kong.go:1075] cert: 0xc0002d9de0
I0321 13:59:17.278458       6 kong.go:113] syncing global plugins
W0321 13:59:17.409185       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:59:17.501766       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 13:59:19.285339       6 controller.go:128] syncing Ingress configuration...
I0321 13:59:19.309961       6 kong.go:1075] cert: 0xc000467aa0
I0321 13:59:19.435868       6 kong.go:113] syncing global plugins
W0321 13:59:19.440702       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 13:59:19.469779       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:01:56.639413       6 controller.go:128] syncing Ingress configuration...
I0321 14:01:57.721909       6 kong.go:1075] cert: 0xc0004149d0
I0321 14:01:58.075285       6 kong.go:113] syncing global plugins
W0321 14:01:58.411690       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:01:58.502241       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:02:05.631933       6 controller.go:128] syncing Ingress configuration...
I0321 14:02:10.656147       6 kong.go:1075] cert: 0xc0002d9f40
I0321 14:02:11.404879       6 kong.go:113] syncing global plugins
W0321 14:02:11.636497       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:02:11.730037       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:04:06.613439       6 controller.go:128] syncing Ingress configuration...
I0321 14:04:07.724478       6 kong.go:1075] cert: 0xc000247f00
I0321 14:04:08.020591       6 kong.go:113] syncing global plugins
W0321 14:04:08.220507       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:04:08.321211       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:04:15.613841       6 controller.go:128] syncing Ingress configuration...
I0321 14:04:16.638482       6 kong.go:1075] cert: 0xc000047b50
I0321 14:04:16.901985       6 kong.go:113] syncing global plugins
W0321 14:04:17.070157       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:04:17.153808       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:09:15.952353       6 controller.go:128] syncing Ingress configuration...
I0321 14:09:16.699389       6 kong.go:1075] cert: 0xc000247d90
I0321 14:09:18.207881       6 kong.go:113] syncing global plugins
W0321 14:09:18.930252       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:09:19.014756       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
I0321 14:09:19.285693       6 controller.go:128] syncing Ingress configuration...
I0321 14:09:19.313476       6 kong.go:1075] cert: 0xc0002d99f0
I0321 14:09:19.443502       6 kong.go:113] syncing global plugins
W0321 14:09:19.448412       6 kong.go:335] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365
W0321 14:09:19.477150       6 kong.go:751] there is no custom Ingress configuration for rule default/kong-ingress-zcrm365

I am not sure why happens this, I would like to you share my kong-ingress-zcrm365 ingress resource, is this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kong-ingress-zcrm365
  #namespace: default
  annotations:
    # kubernetes.io/ingress.class: "nginx" # 
    kubernetes.io/ingress.class: "kong"
    # certmanager.k8s.io/issuer:  "letsencrypt-prod" #"letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/acme-http01-edit-in-place: "true"
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod # letsencrypt-staging   
spec:
  rules:
  - host: test1kongletsencrypt.possibilit.nl
    http:
      paths:
        - path: "/"
          backend:
            serviceName: zcrm365dev
            servicePort: 80
  tls: 
  - hosts:
    - test1kongletsencrypt.possibilit.nl
    secretName: letsencrypt-prod # letsencrypt-staging

I am not sure about what of all these annotations included are necessary, but currently, my service, which is a Swagger API URL is referencing a problem with kong in relation to error 500

Do you know how to can I start to debug the problem?

Kong Ingress Controller 0.4.0 released

Hello,

To tackle this problem, Kong Ingress Controller sets preserve_host to true by default and hence thing should work.
Could you try to use that and update this repository?

Is acme-kong-kube-helper working?

When I have applied acme-kong-kube-helper some weeks ago, I can see in my kong-ingress- controller the following, indicating that the helper works to perform the tls handshake:

⟩ kubectl logs pods/kong-ingress-controller-7b6d8fff97-dqhqx -n kong -c acme-kong-kube-helper
2019/03/21 10:48:18 Matching ingress added: cm-acme-http-solver-9qk9l
2019/03/21 10:48:18   path /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk
2019/03/21 10:48:28 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:28 successfully patched kong route: ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:39 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:39 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:48:49 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:49 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:48:59 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:48:59 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:08 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:08 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:18 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:18 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:29 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:29 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:49:39 found matching kong route: /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk = ca1ee391-6bd1-45b1-ab8b-51ce667922df
2019/03/21 10:49:39 nothing to do; route for /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk already has preserve_host set
2019/03/21 10:50:08 mission accomplished for path /.well-known/acme-challenge/-tmwXxIz4WGsloixL7o1DPCLCDJmZBQ6hUMA0OC7zIk
[I] 
~

And now since some days when I have applied it, I can't see this same behavior in my kong-ingress- controller when I request the logs of acme-kong-kube-helper container. Instead, I don't get any logs such as I shown here:

⟩ k logs pod/kong-ingress-controller-754d5dcf55-rj7zb -n kong -c acme-kong-kube-helper
[I]

Instead, when I have created the ingress resource and I have requested the logs of my kong-ingress- controller associating my kong-ingress- controller container, I can see the following related to acme-kong-kube-helper that does not appear before. Is this:

I0408 09:55:49.636266       6 controller.go:128] syncing Ingress configuration...
I0408 09:55:49.646791       6 kong.go:1075] cert: 0xc000046180
I0408 09:55:50.064447       6 kong.go:113] syncing global plugins
I0408 09:55:50.102665       6 kong.go:549] deleting Kong Service default.cm-acme-http-solver-27plz.8089
I0408 09:55:50.313923       6 kong.go:805] updating Kong Route for host _, path /priva and service 0xc00023a500
I0408 09:55:50.549357       6 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"zcrm365-sandbox-ingress", UID:"f27ff38b-59e3-11e9-8b93-de0f49f53bf8", APIVersion:"extensions", ResourceVersion:"391234", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress default/zcrm365-sandbox-ingress
I0408 09:55:50.567904       6 kong.go:918] deleting Kong Route c93ba320-ed9e-4e4c-b02d-76535d371c6e
I0408 09:55:52.969573       6 controller.go:128] syncing Ingress configuration...
I0408 09:55:53.910110       6 kong.go:1133] creating Kong SSL Certificate for host zcrm365sand.possibilit.nl located in Secret default/
I0408 09:55:54.223216       6 kong.go:1165] creating Kong SNI for host zcrm365sand.possibilit.nl and certificate id 0xc000265960
I0408 09:55:54.267353       6 kong.go:1075] cert: 0xc000047620
I0408 09:55:54.445856       6 kong.go:1027] creating Kong Upstream with name default.cm-acme-http-solver-27plz.8089
I0408 09:55:54.562474       6 kong.go:241] creating Kong Target 10.244.0.14:8089 for upstream 4d43dc23-82f1-4da8-b8e8-5d8694ad557a
I0408 09:55:54.788418       6 kong.go:113] syncing global plugins
I0408 09:55:55.046332       6 kong.go:777] creating Kong Route for host zcrm365sand.possibilit.nl, path /.well-known/acme-challenge/38MK5-Ms72R6_I8GenCDaEsVrcT1w_xDmY04By9cpf0 and service 6f8de943-ad4d-4226-9665-390ac2e28573
W0408 09:56:13.987388       6 controller.go:387] service default/cm-acme-http-solver-27plz does not have any active endpoints
I0408 10:00:55.145266       6 controller.go:128] syncing Ingress configuration...
I0408 10:00:56.398897       6 kong.go:113] syncing global plugins
I0408 10:00:56.621720       6 kong.go:777] creating Kong Route for host _, path / and service c1c4b79a-cab2-44ee-a1bf-40547b72a8e5
I0408 10:00:56.992052       6 kong.go:918] deleting Kong Route be7712e1-d7db-41be-a13a-85dd7f37d651
I0408 10:00:58.478690       6 controller.go:128] syncing Ingress configuration...
I0408 10:00:58.612291       6 kong.go:113] syncing global plugins
I0408 10:00:58.655929       6 kong.go:805] updating Kong Route for host _, path / and service 0xc00023a060
[I]

My letsencrypt-staging certificate and order were validated

⟩ k get order 
NAME                             STATE   AGE
letsencrypt-staging-3060892365   valid   28m
[I]  

⟩ kd certificate letsencrypt-staging 
Name:         letsencrypt-staging
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-04-08T09:51:57Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  zcrm365-sandbox-ingress
    UID:                   f27ff38b-59e3-11e9-8b93-de0f49f53bf8
  Resource Version:        391307
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/letsencrypt-staging
  UID:                     f2826f7b-59e3-11e9-8b93-de0f49f53bf8
Spec:
  Acme:
    Config:
      Domains:
        zcrm365sand.possibilit.nl
      Http 01:
        Ingress:  zcrm365-sandbox-ingress
  Dns Names:
    zcrm365sand.possibilit.nl
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-staging
  Secret Name:  letsencrypt-staging
Status:
  Conditions:
    Last Transition Time:  2019-04-08T09:56:15Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-07-07T08:56:14Z
Events:
  Type    Reason              Age   From          Message
  ----    ------              ----  ----          -------
  Normal  Generated           29m   cert-manager  Generated new private key
  Normal  GenerateSelfSigned  29m   cert-manager  Generated temporary self signed certificate
  Normal  OrderCreated        29m   cert-manager  Created Order resource "letsencrypt-staging-3060892365"
  Normal  OrderComplete       25m   cert-manager  Order "letsencrypt-staging-3060892365" completed successfully
  Normal  CertIssued          25m   cert-manager  Certificate issued successfully
[I]

And cert-manager take the order and perform the tls handhake with letsencrypt

⟩ k logs pod/cert-manager-6f68b58796-l7kwf -n cert-manager
I0408 09:56:14.647462       1 logger.go:43] Calling GetOrder
I0408 09:56:15.305723       1 controller.go:190] orders controller: Finished processing work item "default/letsencrypt-staging-3060892365"
I0408 09:56:15.305897       1 controller.go:184] orders controller: syncing item 'default/letsencrypt-staging-3060892365'
I0408 09:56:15.306145       1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-staging'
I0408 09:56:15.306151       1 logger.go:58] Calling FinalizeOrder
I0408 09:56:15.324242       1 sync.go:263] Certificate default/letsencrypt-staging scheduled for renewal in 1438h59m58.675766873s
I0408 09:56:15.324571       1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-staging"
I0408 09:56:15.329486       1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-staging'
I0408 09:56:15.329854       1 conditions.go:143] Found status change for Certificate "letsencrypt-staging" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-04-08 09:56:15.32984867 +0000 UTC m=+69975.057141117
I0408 09:56:15.330060       1 sync.go:263] Certificate default/letsencrypt-staging scheduled for renewal in 1438h59m58.669946428s
I0408 09:56:15.386429       1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-staging"
I0408 09:56:15.386559       1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-staging'

But when I go to my website domain, http://zcrm365sand.possibilit.nl/ the certificates hasn't been signed (in the letsencrypt-staging case) by the FAKE LE Intermediate X1 CA which is the expected result.

When I have changed to letsencrypt-production environment case, I get the same result, the certificates and order were validated by LE production CA and the kong routes and service were created, but I can't get the https encryption.

I am asking about this situation because I have some doubt about why the k logs pod/kong-ingress-controller-754d5dcf55-rj7zb -n kong -c acme-kong-kube-helper does not return nothing and the kong-ingress-controller container is taking over to create the route here referencing to the cm-acme-http-solver-27plz pod that was created before in kubernetes :

creating Kong Route for host zcrm365sand.possibilit.nl, path /.well-known/acme-challenge/38MK5-Ms72R6_I8GenCDaEsVrcT1w_xDmY04By9cpf0 and service 6f8de943-ad4d-4226-9665-390ac2e28573
W0408 09:56:13.987388       6 controller.go:387] service default/cm-acme-http-solver-27plz does not have any active endpoints

Does not working my acme-kong-kube-helper implementation?
I am adding acme-kong-kube-helper to kong as a third container, according to the instructions.

Or is this behavior related to this issue created?
Create a KongIngress instead of patching the existing Kong route

Although I suppose that at moment has not been merged ...

I have been testing this many times this past week, and I can't get the https encryption using the acme-kong-kube-helper despite that my orders and certificates are validated as a letsencrypt staging and production environments

Because my letsencrypt-staging secret don't get the .crt key

⟩ kd secrets letsencrypt-staging 
Name:         letsencrypt-staging
Namespace:    default
Labels:       certmanager.k8s.io/certificate-name=letsencrypt-staging
Annotations:  certmanager.k8s.io/alt-names: zcrm365sand.possibilit.nl
              certmanager.k8s.io/common-name: zcrm365sand.possibilit.nl
              certmanager.k8s.io/ip-sans: 
              certmanager.k8s.io/issuer-kind: ClusterIssuer
              certmanager.k8s.io/issuer-name: letsencrypt-staging

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  3574 bytes
tls.key:  1675 bytes
[I] 
~/workspace/ZCRM365/Deployments/Kubernetes · (Deployments±)
⟩

Is possible that letsencrypt to be limiting my requests? But I am not sure, because my order is arriving at CA and being validated ...

No RBAC support

First, thank you for this helper. Like many, I have issues with Kong and Cert-manager working together so I tried your helper and realised there is no support for RBAC-enabled cluster:

E0321 10:09:23.210174       1 reflector.go:134] app/main.go:87: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list resource "ingresses" in API group "extensions" at the cluster scope

[Idea] Create a KongIngress instead of patching the existing Kong route

Just a idea, wouldn't it better to create a matching KongIngress resource when a new Ingress is created? That would make it more permanent for Kong and there is no risk of losing the route customization because of outside event.

I'm not familiar enough with Go but I'll look into the code.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.