Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need use ServicePort in http01 #2483

Closed
54853315 opened this issue Dec 21, 2019 · 1 comment
Closed

Need use ServicePort in http01 #2483

54853315 opened this issue Dec 21, 2019 · 1 comment

Comments

@54853315
Copy link

@54853315 54853315 commented Dec 21, 2019

Hi!

I'm use SLB (server load balancing) server, all my k8s nodes give slb fixed nodeport 32001, so the slb IP:80 can guest the 32001.

(all my web site program use 32001 nodeport.)

so, when i use helm to deploy a web server (whatever is traefik or kong or nginx or something else), cert-manager will build pod name like cm-acme-http-solver-8fjtx, it will listen port 8089, and random build nodeport 32 ***.

I want fixed nodeport 32001 ... can let me slb work again, for cert-manager self-check.

I look the document : https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1alpha2.ACMEChallengeSolverHTTP01Ingress

but the API don't realy have servicePort field.

Here is the kubectl apply -f le-staging.yaml ouput :

error: error validating "le-staging.yaml": error validating data: [ValidationError(ClusterIssuer.spec.acme.solvers[0].http01): unknown field "servicePort" in io.cert-manager.v1alpha2.ClusterIssuer.spec.acme.solvers.http01, ValidationError(ClusterIssuer.spec.acme.solvers[0].http01): unknown field "serviceType" in io.cert-manager.v1alpha2.ClusterIssuer.spec.acme.solvers.http01]; if you choose to ignore these errors, turn validation off with —validate=false

Here is My ClusterIssuer yaml :

apiVersion: cert-manager.io/v1alpha2
# kind: Issuer
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  #namespace: default
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: 54583315@qq.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - selector: {}
      http01:
        ingress:
          serviceType: NodePort
          servicePort: 32001 # don't exists API field ,But the document said need to use this 
          class: nginx 

Help ..

@munnerz

This comment has been minimized.

Copy link
Member

@munnerz munnerz commented Jan 14, 2020

Even if this field did exist, the setup you're working towards will not work - your ingress controller (i.e. ingress-nginx, contour, etc) should be listening on port 32001 - an Ingress resource that is created during the HTTP01 solving process is what actually routes traffic to the Service running on port 8089 (the acmesolver). Only a single Service can have a single nodePort, so if you were to try and do what you're doing above, your actual webserver that serves actual traffic for your website would not be accessible, as the acmesolver would be using port 32001.

You can read more on how ingress-nginx works here: https://kubernetes.github.io/ingress-nginx/how-it-works/

Hope that makes sense! Take a look at our "Securing nginx ingress" tutorial here too, as it will talk you through the entire process end-to-end: https://cert-manager.io/docs/tutorials/acme/ingress/

@munnerz munnerz closed this Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.