-
-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use of existing https certificates #24
Comments
Hey @fraank, I believe that working with certificates that are stored in Hetzner is out of context here. Basically, all you need to do is configure your ingress definition to use the certificate you want, that is stored or generated in Kubernetes itself. You never ever have to touch the LB manually, it will just show up there automatically and all just works. Please have a look at a previous issue #18 on the subject where you'll find a few examples. Good luck! |
Yes, attaching the certificates within ingress could be a solution. My first thought was, if it is possible to change protocols of LB from tcp:80 -> http:80 and tcp:443 -> https:443? A simple test switching incoming protocol from tcp to http turnes out, that it makes the service unhealthy. the same with https. |
Yes, but you have understand that the LB is created by the ingress controller with its required specs, so if you change it manually later on, it no longer has the required specs and becomes unhealthy. So any changes you do to the LB must be through the ingress system! And since by default it's configured to use proxy protocol, you just need to configure the ingress definitions well and everything just works, including SSL. In the other issue above mentioned, you'll find an example ingress definition. Just try it, you'll be surprised! :) |
Thanks and sorry for bothering you, as it is not directly connected to the project or a bug. But i guess this could be a great default use case for others, just using hetzner resources. As i understood, this is something how my ingress should work, while the loadbalancer is kept untouched: I created the wildcard certificate Then I created the ingress using this certificate
As the response shows that the certificate is still invalid, I guess there is a link to the certificate store (with api-token to receive that) missing?! |
@fraank No bother at all. It's definitely a good discussion to have. From what I see, it appears you are not creating your certificate as a Kubernetes secret? Yet you are calling it from your ingress definition as a secret in Kubernetes. My apologies frank, I had pasted the wrong command in the other issue, now rectified. There is no
Now it will work! 🤞 |
Oh, ok. Now it makes more sense. Unfortunately hetzner don't let us download the .pk and .crt directly. I thought I can use parts of this, to download and update the cert via API-Request from Official API. I cannot believe I'm the first one doing this, but cannot find any notes about that. Edit: I'm not. #1 Edit 2: I think I'm searching for sth. like |
If I were you, just forget Hetzner certificates, Cloudflare is great, or just LetsEncrypt! |
Ok, I got an official statement from Hetzner that Cloud Control Manager cannot be used for Ingress-Services. They recommended me, to implement it by myself but cannot give any guarantee that it will finally work. I think I will tryout Cloudflare. Thanks for your patience and input :-). I guess this ticket can be closed. |
Great! Thanks for clarifying, you won't regret it, Cloudflare rocks! |
With https://console.hetzner.cloud/projects/.../security/certificates there is a comfortable interface for managing https certificates over different contexes.
Is there any way to use them with kube-hetzner?
The text was updated successfully, but these errors were encountered: