I am using “Traefik”, “cert-mangaer”, and “Let’s Encrypt”.
Here is my ClusterIssuer file
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: production-lets-encrypt-issuer
namespace: production-hm-cert-manager
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: production-lets-encrypt-issuer-account-secret
solvers:
- http01:
ingress:
ingressClassName: traefik
Here is my Ingress file
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hm-airbyte-ingress
namespace: production-hm-airbyte
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: production-lets-encrypt-issuer
labels:
app.kubernetes.io/name: hm-airbyte-ingress
app.kubernetes.io/part-of: production-hm-airbyte
spec:
rules:
- host: hm-airbyte.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hm-airbyte-airbyte-webapp-svc
port:
number: 80
tls:
- hosts:
- hm-airbyte.example.com
secretName: hm-airbyte-ingress-tls
My Traefik pod shows error
“2024-06-27T06:35:45Z ERR Error configuring TLS error=”secret production-hm-airbyte/hm-airbyte-ingress-tls does not exist” ingress=hm-airbyte-ingress namespace=production-hm-airbyte providerName=kubernetes”
But I found I actually have a secret Secret: hm-airbyte-ingress-tls-7w9z7 inside namespace production-hm-airbyte. Note it has a random suffix.
I searched online
- https://github.com/cert-manager/cert-manager/issues/3283
- https://github.com/cert-manager/cert-manager/issues/3300
This issue seems having 4 years, but unfortunately there is no solution.
After a lot of experiments, I found if I add acme.cert-manager.io/http01-edit-in-place: "true" annotation, it helps resolve the issue.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hm-airbyte-ingress
namespace: production-hm-airbyte
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: production-lets-encrypt-issuer
acme.cert-manager.io/http01-edit-in-place: "true" # <- Added this
labels:
app.kubernetes.io/name: hm-airbyte-ingress
app.kubernetes.io/part-of: production-hm-airbyte
spec:
rules:
- host: hm-airbyte.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hm-airbyte-airbyte-webapp-svc
port:
number: 80
tls:
- hosts:
- hm-airbyte.example.com
secretName: hm-airbyte-ingress-tls
So now here is what happens after I apply this Ingress file
- A temporary
Secret: hm-airbyte-ingress-tls-7w9z7with random suffix will be created - After about half minute, a
Secret: hm-airbyte-ingress-tlswithout suffix will be created - The one will suffix will be automatically deleted.
This is the Secret: hm-airbyte-ingress-tls without suffix, you can see the difference between the temporary secret I posted in the question.
Without this annotation, based on my experiment, it will be stuck at step 1 forever.
Here is the explanation of this annotation:
acme.cert-manager.io/http01-edit-in-place: “true”: this controls whether the ingress is modified ‘in-place’, or a new one is created specifically for the HTTP01 challenge. If present, and set to “true”, the existing ingress will be modified. Any other value, or the absence of the annotation assumes “false”. This annotation will also add the annotation “cert-manager.io/issue-temporary-certificate”: “true” onto created certificates which will cause a temporary certificate to be set on the resulting Secret until the final signed certificate has been returned. This is useful for keeping compatibility with the ingress-gce component.
P.S. I cannot explain why this annotation helps resolve the issue. Because I actually expect if with this annotation, the temporary secret will not be created at all. Hope someone can further explain in future, thanks!