Hi,
I have a problem with host have certificate generated using cert-manager, but when opened in browser TRAEFIK DEFAULT CERT is used on domain.
Some details of my setup:
K3s Version:
k3s version v1.23.6+k3s1
Node(s) CPU architecture, OS, and Version:
Linux instance 5.13.0-1030-oracle #35~20.04.1-Ubuntu SMP Wed May 25 23:19:48 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration just single master.
Steps To Reproduce:
Installed K3s:
curl -sfL https://get.k3s.io/ | INSTALL_K3S_EXEC="--tls-san 130.61.84.XX --node-external-ip 130.61.84.XX" sh -s -
Installed cert-manager:
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.8.0
setup letsencrypt-prod ClusterIssuer with solvers:
...
solvers:
- http01:
ingress:
ingressTemplate:
metadata:
annotations:
kubernetes.io/ingress.class: traefik
-- Run app deployment, ingress looks like this:
ingressClassName: traefik
rules:
- host: api.example.dev
http:
paths:
- backend:
service:
name: yyy-backend-api
port:
number: 80
path: /
pathType: Exact
tls:
- secretName: yyy-backend-api-tls
status:
loadBalancer: {}
Certificate is created:
Normal Issuing 134m cert-manager-certificates-issuing The certificate has been successfully issued
I would expected that when visiting api.example.dev let's encrypt cert should be used.
Instead self-signed TRAEFIK DEFAULT CERT is used.
When I tried to call api from api.example.dev in postman I got 404.
When port-forward is done or called from host on Pod IP, api responds ok.
Any help or suggestions would be appreciated.
1 Like
I'm having the same issue with my setup.
It seems to work if I use the Ingress annotation
kubernetes.io/ingress.class: traefik
instead of the ingressClassName
ingressClassName: traefik
I could not figure out yet if it is config issue or a bug in either traefic or cert-manager.
Update:
there seems to be some issue between cert-manager and traefik for supporting the new field ingressClassName, please up-vote:
opened 08:25PM - 01 Feb 22 UTC
kind/feature
area/ingress-shim
**Is your feature request related to a problem? Please describe.**
I have mul… tiple `IngressControllers` running in my cluster. Each of them is configured to only control ingresses with a given `IngressClass` (as described in Ingress Nginx [documentation](https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/)). With the recent revert of changes derived from this discussion (https://github.com/jetstack/cert-manager/issues/4537#issuecomment-1022112393), if I add the `class` property to the solver's `Ingress` spec, the now deprecated `kubernetes.io/ingress.class` annotation will be used:
```yaml
solvers:
- http01:
ingress:
class: external-nginx
```
This will result in the `Ingress` created by the solver to never being picked up by any `IngressController`, resulting in the inability of the solver to complete the challenge. Currently, we are solving this by manually editing the Ingress deployment to include the desired `ingressClassName`, but this implies manual work every time new certificates need to be updated/issued.
**Describe the solution you'd like**
I understand (and agree) that maintaining compatibility is important. Given my limited context of this project, it would be nice to have the option to set the `ingressClassName` like this:
```yaml
solvers:
- http01:
ingress:
ingressClassName: external-nginx
```
This way, the `class` attribute could still be implemented with the anotation, and newer clients could opt-in to use `IngressClasses`.
**Describe alternatives you've considered**
We could probably use another `IngressController` without any `IngressClass` set in its configuration, allowing it to pickup the ingresses created by `cert-manager`, but that seems more like a workaround that a solution.
**Additional context**
None, but may provide more if asked.
**Environment details (remove if not applicable)**:
- Kubernetes version: 1.21
- Cloud-provider/provisioner: AWS
- cert-manager version: v1.7.0
- Install method: Helm, including resource definitions.
/kind feature