use of existing https certificates

[fraank]

With https://console.hetzner.cloud/projects/.../security/certificates there is a comfortable interface for managing https certificates over different contexes.

Is there any way to use them with kube-hetzner?

[mysticaltech]

Hey @fraank, I believe that working with certificates that are stored in Hetzner is out of context here. Basically, all you need to do is configure your ingress definition to use the certificate you want, that is stored or generated in Kubernetes itself.

You never ever have to touch the LB manually, it will just show up there automatically and all just works.

Please have a look at a previous issue #18 on the subject where you'll find a few examples. Good luck!

[fraank]

Yes, attaching the certificates within ingress could be a solution.

My first thought was, if it is possible to change protocols of LB from tcp:80 -> http:80 and tcp:443 -> https:443?
I can attach many certificates at the loadbalancer service interface when switching protocols to https.

A simple test switching incoming protocol from tcp to http turnes out, that it makes the service unhealthy. the same with https.

[mysticaltech]

Yes, but you have understand that the LB is created by the ingress controller with its required specs, so if you change it manually later on, it no longer has the required specs and becomes unhealthy.

So any changes you do to the LB must be through the ingress system! And since by default it's configured to use proxy protocol, you just need to configure the ingress definitions well and everything just works, including SSL.

In the other issue above mentioned, you'll find an example ingress definition. Just try it, you'll be surprised! :)

[fraank]

Thanks and sorry for bothering you, as it is not directly connected to the project or a bug. But i guess this could be a great default use case for others, just using hetzner resources.

As i understood, this is something how my ingress should work, while the loadbalancer is kept untouched:

I created the wildcard certificate mydomain-de within the web interface (/security/certificates). Like as you did in your linked example by hcloud certificate create --name cloudflare-tls --cert-file origin-ca.crt --key-file origin-ca.pk.

Then I created the ingress using this certificate mydomain-de:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: "traefik"
    traefik.frontend.passHostHeader: "true"
spec:
  defaultBackend:
    service:
      name: echo1
      port:
        number: 80

  tls:
  - secretName: mydomain-de
    hosts:
    - status.mydomain.de
    - images.mydomain.de
  rules:  


  - host: "status.mydomain.de"
    http:
      paths:
      - pathType: ImplementationSpecific
        backend:
          service:
            name: echo1
            port:
              number: 80


  - host: "images.mydomain.de"
    http:
      paths:
      - pathType: ImplementationSpecific
        backend:
          service:
            name: imgproxy
            port:
              number: 80

As the response shows that the certificate is still invalid, I guess there is a link to the certificate store (with api-token to receive that) missing?!

[mysticaltech]

@fraank No bother at all. It's definitely a good discussion to have.

From what I see, it appears you are not creating your certificate as a Kubernetes secret? Yet you are calling it from your ingress definition as a secret in Kubernetes.

My apologies frank, I had pasted the wrong command in the other issue, now rectified. There is no hcloud create needed at all, the secret needs to be created in Kubernetes only, with the following command:

kubectl create secret tls mydomain-de --key origin-ca.pk --cert origin-ca.crt

Now it will work! 🤞

[fraank]

Oh, ok. Now it makes more sense.

Unfortunately hetzner don't let us download the .pk and .crt directly. I thought I can use parts of this, to download and update the cert via API-Request from Official API.

I cannot believe I'm the first one doing this, but cannot find any notes about that.

---

Edit: I'm not. #1

Edit 2: I think I'm searching for sth. like load-balancer.hetzner.cloud/http-certificates: "<id or name of your cert>" just for the ingress (Link).

[mysticaltech]

If I were you, just forget Hetzner certificates, Cloudflare is great, or just LetsEncrypt!

[fraank]

Ok, I got an official statement from Hetzner that Cloud Control Manager cannot be used for Ingress-Services. They recommended me, to implement it by myself but cannot give any guarantee that it will finally work.

I think I will tryout Cloudflare. Thanks for your patience and input :-). I guess this ticket can be closed.

[mysticaltech]

Great! Thanks for clarifying, you won't regret it, Cloudflare rocks!