https://pulumi.com logo
#kubernetes
Title
# kubernetes
s

sparse-spring-91820

11/09/2021, 9:42 AM
Hello 👋 I am stuck with setting up SSL certificate for the ingress controller. I created a certificate for my domain and completed the DNS challenge using ACM. What I'm trying now is to use that created certificate for my nginx-ingress controller but I can't make it work. This is my code:
Copy code
const nginx = new k8s.helm.v3.Chart('nginx',
    {
        namespace,
        chart: 'nginx-ingress',
        version: '1.24.4',
        fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
        values: {
          controller: {
            annotations: {
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
              '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
              '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
            },
            publishService: { enabled: true }
          }
        }
    },
    { providers: { kubernetes: options.provider } }
);
I tried a lot of variations but none of them worked for me. I end up getting error:
400 Bad Request "Play HTTP request was sent to HTTPS port"
or another case, I get auto-generated
Kubernetes Ingress Controller Fake Certificate
which shows me
Not secure
flag in the browser because that certificate is not signed by authority that browser trusts. Has anyone else set nginx-ingress working with certificate generated by ACM?
1
f

future-refrigerator-88869

11/09/2021, 11:00 AM
here's the config that i used for the ALB using aws load balancer controller. it might help you
Copy code
{
        "<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>": "alb",
        "<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>": "internet-facing",
        "<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>": "ip",
        "<http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>": "certificate arn",
        "<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>": "certificate arn",
        "<http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>": '[{"HTTPS":443}]',
        "<http://alb.ingress.kubernetes.io/actions.ssl-redirect|alb.ingress.kubernetes.io/actions.ssl-redirect>":
        '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}',
}
s

sparse-spring-91820

11/09/2021, 11:07 AM
f

future-refrigerator-88869

11/09/2021, 11:18 AM
Yes. But be aware that there's ingress await issues using that controller (for now at least)
s

sparse-spring-91820

11/09/2021, 11:21 AM
Thanks 🙌! I will try to stick with nginx-ingress and see if anyone has solution 🤞
f

future-refrigerator-88869

11/09/2021, 11:25 AM
I can see nginx in their example use this:
Copy code
<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>: http
    <http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>: '60'
    <http://service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled|service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled>: 'true'
    <http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
    <http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>: https
    <http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>: elb
Taken from here: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy-tls-termination.yaml https://kubernetes.github.io/ingress-nginx/deploy/#tls-termination-in-aws-load-balancer-nlb
s

sparse-spring-91820

11/09/2021, 12:11 PM
Yeah, tried all that but without success 😕
b

billowy-army-68599

11/09/2021, 2:49 PM
@sparse-spring-91820 can you show me your spec for the ingress service?
s

sparse-spring-91820

11/09/2021, 2:50 PM
Copy code
const ingress = new k8s.networking.v1.Ingress('nginx-ingress-rule', {
    metadata: {
        namespace,
        annotations: {
          '<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>': "nginx"
        }
    },
    spec: {
        rules: [
            {
                host: '<http://ivo.example.com|ivo.example.com>',
                http: {
                    paths: [
                        {
                            path: '/',
                            pathType: 'Prefix',
                            backend: {
                              service: {
                                name: service.metadata.name,
                                port: {
                                  number: 3000
                                }
                              }
                            }
                        }
                    ]
                }
            }
        ]
    }
}, options);
b

billowy-army-68599

11/09/2021, 2:52 PM
not the ingress, when you deployed your loadbalancer, the ingress controller gets a service
type=LoadBalancer
how did you deploy
nginx-ingress
?
s

sparse-spring-91820

11/09/2021, 2:54 PM
Using helm chart, code:
Copy code
const nginx = new k8s.helm.v3.Chart('nginx',
    {
        namespace,
        chart: 'nginx-ingress',
        version: '1.24.4',
        fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
        values: {
          controller: {
            annotations: {
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
              '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
              '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
            },
            publishService: { enabled: true }
          }
        }
    },
    { providers: { kubernetes: options.provider } }
);
b

billowy-army-68599

11/09/2021, 2:59 PM
you're using a really really old version of the chart, from the deprecated repo. I think that's from before a lot of the defaults had been figured out your repo needs to be:
<https://kubernetes.github.io/ingress-nginx>
, see here for more details: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx
and then set the values like so:
Copy code
controller:
  service:
    targetPorts:
      http: http
      https: http
    annotations:
      <http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
      <http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>: "http"
      <http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>: "https"
      <http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>: '3600'
s

sparse-spring-91820

11/09/2021, 3:01 PM
Woow, didn't know that. Thank you a lot! 🙌 I will try as soon as possible and give a feedback
IT WORKS 🎉 Thanks a lot once more!!
❤️ 1
4 Views