Good morning
I am very new with nginx and I am trying to follow a docu to explain how to make a connection using nginx LB with TLS.
In theory, the procedure it is very simple :
1.- Deploy Nginx LoadBalancer:
helm upgrade ingress-nginx ingress-nginx/ingress-nginx --install
--set controller.nodeSelector.starburstpool=base
--set defaultBackend.nodeSelector.starburstpool=base
--set controller.admissionWebhooks.patch.nodeSelector.starburstpool=base
2.- Deploy Certificate Manager:
helm upgrade cert-manager jetstack/cert-manager --install --namespace certs-manager --create-namespace
--set installCRDs=true
--set nodeSelector.starburstpool=base
--set webhook.nodeSelector.starburstpool=base
--set cainjector.nodeSelector.starburstpool=base
3.- Deploy Certificate Issuer:
Wait for the Certificate Manager to complete its deployment. Next, edit your local copy of cert-issuer.yaml. Add your email address to this file in the place indicated. After the file has been edited, run the following command:
The documentation said:
- http01:
ingress:
class : nginx
But I change the class by public
$ cat cert-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: certs-manager
labels:
name: letsencrypt
iac: "Deployed-via-starburst-deploy"
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: email@domain
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class : public
podTemplate:
spec:
nodeSelector:
"starburstpool": base
and then:
kubectl apply -f cert-issuer.yaml
Now I deploy my app.
$helm upgrade starburst-enterprise starburstdata/starburst-enterprise --install --values starburst.yaml
--set expose.type=ingress
--set expose.ingress.host=${starburst_url:?You need to specify a url}:443
--set registryCredentials.username=${registry_usr:?Value not set}
--set registryCredentials.password=${registry_pwd:?Value not set}
--set sharedSecret="$(openssl rand 64 | base64)"
....
But I see some issues:
$ kubectl get certificate
NAME READY SECRET AGE
tls-secret-starburst False tls-secret-starburst 143m
The certificate is not ready
Describing the certificate
Status:
Conditions:
Last Transition Time: 2024-05-13T07:15:21Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2024-05-13T07:15:21Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: tls-secret-starburst-qdg79
Events: <none>
But I have the secret
k describe secret tls-secret-starburst-qdg79
Name: tls-secret-starburst-qdg79
Namespace: clgroup
Labels: cert-manager.io/next-private-key=true
controller.cert-manager.io/fao=true
Annotations: <none>
Type: Opaque
Data
====
tls.key: 1704 bytes
If I review the challenge:
$ kubectl get challenge
NAME STATE DOMAIN AGE
tls-secret-starburst-1-1114501067-2382483565 pending pue.puetest.net 156m
$ kubectl describe challenge
....
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: wrong status code '503', expected '200'
State: pending
Events: <none>
If I make a curl:
$ curl https://acme-v02.api.letsencrypt.org/acme/authz-v3/350147985507
{
"identifier": {
"type": "dns",
"value": "muDomain"
},
"status": "pending",
"expires": "2024-05-20T07:15:22Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/350147985507/cJzlaw",
"token": "3gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIdkrit0"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/350147985507/nyX5_A",
"token": "3gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIdkrit0"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/350147985507/IFP4fQ",
"token": "3gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIdkrit0"
}
]
So I don’t know why all the challange are pending.
I think that is the problems. But I don’t know how to solve it.