TLS, ambassador, cert-manager, and HTTP challenge
See original GitHub issueHello all. I’m trying to setup a config with ambassador in Azure.
For now, ambassador is just used as an ingress controller, and that’s work fine.
Troubles arrive when I try to setup a TLS config using cert-manager.
I can’t used DNS acme-challenge since my TLS domain is the one created for my K8S by Azure (something like myrepo.westeurope.cloudapp.azure.com
)
That’s why I’m stuck using HTTP challenge resolution.
The problem comes from how cert-manager is working.
One configured, to be able to challenge the domain, cert-manager will dynamically generate a deployment
/ service
/ ingress
to be able to expose the famous .well-known/acme-challenge/OXiBFblablablalbla
url.
Since we don’t have any ingress controller installed, the service is not reachable.
Of course I tried to implement my own service, to handle correctly the request, but it doesn’t work at all. (Well today, the urls and name are hardcoded, it’s another problem to solve, but for now, it’s just fine testing like that)
apiVersion: v1
kind: Service
metadata:
name: nginx
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: Mapping
name: acme-challenge-mapping
prefix: /.well-known/acme-challenge/OXiBF7fN601nISblablbalbla
service: nginx
spec:
ports:
- port: 80
targetPort: 8089
selector:
certmanager.k8s.io/acme-http-domain: "3932818779"
certmanager.k8s.io/acme-http-token: "782372305"
The logs from the cert pod contains this relevant log:
logger.go:93] Calling HTTP01ChallengeResponse
prepare.go:279] Cleaning up old/expired challenges for Certificate default/ambassador-certs
logger.go:68] Calling GetChallenge
http.go:145] presented key () did not match expected (OXiBF7fN60blablablabla.vt8Zlzf-eC5Dj9dnanananana)
To Reproduce
Installing cert-manager using helm
helm install stable/cert-manager --set ingressShim.defaultIssuerName=letsencrypt-staging --set ingressShim.defaultIssuerKind=ClusterIssuer
Installing the https
ambassador (with RBAC) stuff
Installing a straightforward sample
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ports:
- containerPort: 6379
name: redis
---
apiVersion: v1
kind: Service
metadata:
name: azure-vote-back
spec:
ports:
- port: 6379
selector:
app: azure-vote-back
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-front
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-front
template:
metadata:
labels:
app: azure-vote-front
spec:
containers:
- name: azure-vote-front
image: microsoft/azure-vote-front:v1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ports:
- containerPort: 80
env:
- name: REDIS
value: "azure-vote-back"
---
apiVersion: v1
kind: Service
metadata:
name: azure-vote-front
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: Mapping
name: azure-vote-front-mapping
prefix: /
service: azure-vote-front
spec:
ports:
- port: 80
selector:
app: azure-vote-front
Versions (please complete the following information): Last versions of everything 😃
Issue Analytics
- State:
- Created 5 years ago
- Comments:12 (3 by maintainers)
Thx @richarddli for the updated documentation.
Just for your information, I have created a small repo with a readme doc, about installing cert-manager in an AKS cluster.
I know my English is not really as good as it should be, but you may found useful information on this topic: https://github.com/Mimetis/ambassadorandtls
hey,
i went through similar thing as you did a while back and came up with pretty much the same solutions. only difference, i’m only using a selector with certmanager.k8s.io/acme-http-domain: <val> which works fine for me. skipped the token.
the acme-http-domain value is a adler32 hash of the domain. so it wont change. there are topics in the cert-manager repo regarding this suggesting custom selector options and / or changing the adler32 hash to something helm can use (then it would be just a template function for us). but im not sure if anything changed since my adventure down that road 😃