Hi,
I have a problem with host have certificate generated using cert-manager, but when opened in browser TRAEFIK DEFAULT CERT is used on domain.
Some details of my setup:
K3s Version:
k3s version v1.23.6+k3s1
Node(s) CPU architecture, OS, and Version:
Linux instance 5.13.0-1030-oracle #35~20.04.1-Ubuntu SMP Wed May 25 23:19:48 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration just single master.
Steps To Reproduce:
Installed K3s:
curl -sfL https://get.k3s.io/ | INSTALL_K3S_EXEC="--tls-san 130.61.84.XX --node-external-ip 130.61.84.XX" sh -s -
Installed cert-manager:
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.8.0
setup letsencrypt-prod ClusterIssuer with solvers:
...
solvers:
- http01:
ingress:
ingressTemplate:
metadata:
annotations:
kubernetes.io/ingress.class: traefik
-- Run app deployment, ingress looks like this:
ingressClassName: traefik
rules:
- host: api.example.dev
http:
paths:
- backend:
service:
name: yyy-backend-api
port:
number: 80
path: /
pathType: Exact
tls:
- secretName: yyy-backend-api-tls
status:
loadBalancer: {}
Certificate is created:
Normal Issuing 134m cert-manager-certificates-issuing The certificate has been successfully issued
I would expected that when visiting api.example.dev let's encrypt cert should be used.
Instead self-signed TRAEFIK DEFAULT CERT is used.
When I tried to call api from api.example.dev in postman I got 404.
When port-forward is done or called from host on Pod IP, api responds ok.
Any help or suggestions would be appreciated.
I'm having the same issue with my setup.
It seems to work if I use the Ingress annotation
kubernetes.io/ingress.class: traefik
instead of the ingressClassName
ingressClassName: traefik
I could not figure out yet if it is config issue or a bug in either traefic or cert-manager.
Update:
there seems to be some issue between cert-manager and traefik for supporting the new field ingressClassName, please up-vote:
opened 08:25PM - 01 Feb 22 UTC
kind/feature
area/ingress-shim
**Is your feature request related to a problem? Please describe.**
I have mul… tiple `IngressControllers` running in my cluster. Each of them is configured to only control ingresses with a given `IngressClass` (as described in Ingress Nginx [documentation](https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/)). With the recent revert of changes derived from this discussion (https://github.com/jetstack/cert-manager/issues/4537#issuecomment-1022112393), if I add the `class` property to the solver's `Ingress` spec, the now deprecated `kubernetes.io/ingress.class` annotation will be used:
```yaml
solvers:
- http01:
ingress:
class: external-nginx
```
This will result in the `Ingress` created by the solver to never being picked up by any `IngressController`, resulting in the inability of the solver to complete the challenge. Currently, we are solving this by manually editing the Ingress deployment to include the desired `ingressClassName`, but this implies manual work every time new certificates need to be updated/issued.
**Describe the solution you'd like**
I understand (and agree) that maintaining compatibility is important. Given my limited context of this project, it would be nice to have the option to set the `ingressClassName` like this:
```yaml
solvers:
- http01:
ingress:
ingressClassName: external-nginx
```
This way, the `class` attribute could still be implemented with the anotation, and newer clients could opt-in to use `IngressClasses`.
**Describe alternatives you've considered**
We could probably use another `IngressController` without any `IngressClass` set in its configuration, allowing it to pickup the ingresses created by `cert-manager`, but that seems more like a workaround that a solution.
**Additional context**
None, but may provide more if asked.
**Environment details (remove if not applicable)**:
- Kubernetes version: 1.21
- Cloud-provider/provisioner: AWS
- cert-manager version: v1.7.0
- Install method: Helm, including resource definitions.
/kind feature