Hello wave I am stuck with setting up SSL certificate for th Pulumi Community #kubernetes

Hello :wave: I am stuck with setting up SSL certif...

sparse-spring-91820

11/09/2021, 9:42 AM

Hello 👋 I am stuck with setting up SSL certificate for the ingress controller. I created a certificate for my domain and completed the DNS challenge using ACM. What I'm trying now is to use that created certificate for my nginx-ingress controller but I can't make it work. This is my code:

Copy code

const nginx = new k8s.helm.v3.Chart('nginx',
    {
        namespace,
        chart: 'nginx-ingress',
        version: '1.24.4',
        fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
        values: {
          controller: {
            annotations: {
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
              '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
              '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
            },
            publishService: { enabled: true }
          }
        }
    },
    { providers: { kubernetes: options.provider } }
);

I tried a lot of variations but none of them worked for me. I end up getting error:

400 Bad Request "Play HTTP request was sent to HTTPS port"

or another case, I get auto-generated

Kubernetes Ingress Controller Fake Certificate

which shows me

Not secure

flag in the browser because that certificate is not signed by authority that browser trusts. Has anyone else set nginx-ingress working with certificate generated by ACM?

✅ 1

future-refrigerator-88869

11/09/2021, 11:00 AM

here's the config that i used for the ALB using aws load balancer controller. it might help you

Copy code

{
        "<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>": "alb",
        "<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>": "internet-facing",
        "<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>": "ip",
        "<http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>": "certificate arn",
        "<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>": "certificate arn",
        "<http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>": '[{"HTTPS":443}]',
        "<http://alb.ingress.kubernetes.io/actions.ssl-redirect|alb.ingress.kubernetes.io/actions.ssl-redirect>":
        '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}',
}

sparse-spring-91820

11/09/2021, 11:07 AM

Is that this chart: https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller?

future-refrigerator-88869

11/09/2021, 11:18 AM

Yes. But be aware that there's ingress await issues using that controller (for now at least)

sparse-spring-91820

11/09/2021, 11:21 AM

Thanks 🙌! I will try to stick with nginx-ingress and see if anyone has solution 🤞

future-refrigerator-88869

11/09/2021, 11:25 AM

I can see nginx in their example use this:

Copy code

<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>: http
    <http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>: '60'
    <http://service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled|service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled>: 'true'
    <http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
    <http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>: https
    <http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>: elb

Taken from here: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy-tls-termination.yaml https://kubernetes.github.io/ingress-nginx/deploy/#tls-termination-in-aws-load-balancer-nlb

sparse-spring-91820

11/09/2021, 12:11 PM

Yeah, tried all that but without success 😕

billowy-army-68599

11/09/2021, 2:49 PM

@sparse-spring-91820 can you show me your spec for the ingress service?

sparse-spring-91820

11/09/2021, 2:50 PM

Copy code

const ingress = new k8s.networking.v1.Ingress('nginx-ingress-rule', {
    metadata: {
        namespace,
        annotations: {
          '<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>': "nginx"
        }
    },
    spec: {
        rules: [
            {
                host: '<http://ivo.example.com|ivo.example.com>',
                http: {
                    paths: [
                        {
                            path: '/',
                            pathType: 'Prefix',
                            backend: {
                              service: {
                                name: service.metadata.name,
                                port: {
                                  number: 3000
                                }
                              }
                            }
                        }
                    ]
                }
            }
        ]
    }
}, options);

billowy-army-68599

11/09/2021, 2:52 PM

not the ingress, when you deployed your loadbalancer, the ingress controller gets a service

type=LoadBalancer

billowy-army-68599

11/09/2021, 2:53 PM

how did you deploy

nginx-ingress

sparse-spring-91820

11/09/2021, 2:54 PM

Using helm chart, code:

Copy code

const nginx = new k8s.helm.v3.Chart('nginx',
    {
        namespace,
        chart: 'nginx-ingress',
        version: '1.24.4',
        fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
        values: {
          controller: {
            annotations: {
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
              '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
              '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
            },
            publishService: { enabled: true }
          }
        }
    },
    { providers: { kubernetes: options.provider } }
);

billowy-army-68599

11/09/2021, 2:59 PM

you're using a really really old version of the chart, from the deprecated repo. I think that's from before a lot of the defaults had been figured out your repo needs to be:

<https://kubernetes.github.io/ingress-nginx>

, see here for more details: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx

billowy-army-68599

11/09/2021, 2:59 PM

and then set the values like so:

Copy code

controller:
  service:
    targetPorts:
      http: http
      https: http
    annotations:
      <http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
      <http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>: "http"
      <http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>: "https"
      <http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>: '3600'

sparse-spring-91820

11/09/2021, 3:01 PM

Woow, didn't know that. Thank you a lot! 🙌 I will try as soon as possible and give a feedback

sparse-spring-91820

11/09/2021, 3:59 PM

IT WORKS 🎉 Thanks a lot once more!!

❤️ 1

4 Views

Open in Slack

Previous Next