Cert-manager and Rancher 2.0?


#1

Has anyone gotten cert-manager working in Rancher 2.0?

I start by deploying it from the Helm catalog. I then add an issuer like so:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # The ACME server URL
    server: https://acme-v01.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: me@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # Enable the HTTP-01 challenge provider
    http01: {}

I then add certmanager.k8s.io/cluster-issuer=letsencrypt as an annotation on my ingress. If I hit http://mydomain.example.com, traffic routes to the correct service. https://mydomain.example.com, on the other hand, routes to the default ingress backend backed by the fake k8s certificate (I.e. it’s as if the ingress isn’t being configured for TLS, which is not what these docs suggest should happen.)

I see the following in my ingress-shim logs:

I0509 23:48:51.083118       1 controller.go:147] ingress-shim controller: syncing item 'syncthing/ingress'
I0509 23:48:51.083271       1 controller.go:161] ingress-shim controller: Finished processing work item "syncthing/ingress"

Where syncthing/ingress is the namespace/ingress of my project. This seems to indicate that the annotation is being discovered, as I see:

I0509 23:47:17.490804 1 sync.go:41] Not syncing ingress syncthing/ingress as it does not contain necessary annotations

if I remove the annotation. I do see a letsencrypt secret in kube-system, but I think this may be a private key for LE authentication rather than my cert itself. kubectl get certificates --all-namespaces returns nothing. Likewise, I never see any messages indicating that a cert is being provisioned, just the absence of messages indicating that required annotations are missing when I point the ingress at an issuer.

Has anyone gotten this working? I’m wondering if there’s anything non-standard about the Rancher ingress controller that might be tripping up cert-manager. I’m also wondering if there’s a different/better way to integrate LE with Rancher.

Thanks for any help.


#2

Hi,

I firstly tried Traefik without any success (Rancher 2.0 and Traefik).
I will try cert-manager.

If I find something on my side I will let you know.

Thanks


#3

Yep tried it and works just fine. I first used external DNS from the catalog to have the domain linked ( you can do that manually), then set up an ingress, then added a cluster issuer, then added a certificate, then updated the ingress to use the certificate.


#4

OK, so that answers one question. I wasn’t sure whether to provision the cert manually or to use ingress-shim. Sounds like you’re going the manual route.

If that’s the case, mind sharing your configs? I’m getting absolutely nothing meaningful in my logs, and I’m pretty sure I’m as close to what you’ve set up as I can get. But clearly something isn’t working, as my certificate resource isn’t deploying. I switched to DNS01 challenges, as I assumed HTTP01 wouldn’t work with the default ingress, but neither works for me.


#5

the ingress shim I think is buggy or something… here’s a sample issuer config

kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # The ACME production api URL
    server: https://acme-v01.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: tools@whateveremail.com

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-production

    # Enable the HTTP-01 challenge provider
    http01: {}

and a sample Certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: www-something-com
  namespace: namespacetouse
spec:
  secretName: www-something-com-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: thedomain
  dnsNames:
  - thedomain
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - thedomain

#6

Yup, that worked. I’m not sure why mine didn’t, since I copied the certificate configs directly from the docs, but yours seems to explicitly configure the ACME challenge, whereas the docs indicated that the config would be picked up from the issuer.

In any case, I’ve got HTTPS now, and like that the automatic redirect is automatically configured. That would have been my next question.

Should we move this thread to the Rancher 2.0 forum?


Rancher 2 and Letsencrypt
#7

Glad to hear it and sure thing although I’m not sure how to move it! Yeah auto redirect is nice :slight_smile:


#8

Hi Josmo,

thank you very much for the information provided.

I have a problem to have clusterissuer stays persistent.

Using Rancher 2.0 and using kubectl from within the cluster, i dont know which directory I can save to the yaml files and so on.

After rebooting these things are lost.

Rancher server has a bind mounted directory to /var/lib/rancher


#9

Do you mean when you reboot the etcd and controller instances?


#10

Yes, but in the meantime I achieved that my issuer files stay persistent.

A certificate is not pulled, I think because several tries and hitting the rate limit of letsencrypt staging.

I will try again in one week…


#11

It does not work.
Clusterissuer is ready, but certificate is not working (something with challenge error), I think it cannot pull the certificate.
Any port issues, because rancher loadbalancibg does not work either.


#12

@Section1977 I have created a tutorial (at the bottom it is linked to a video) of how to use Let’s Encrypt with cert-manager to generate usable certificates within the cluster. At the end I also show how to configure the Ingress shims to use those certificates. https://www.idealcoders.com/posts/rancher/2018/06/rancher-2-x-and-lets-encrypt-with-cert-manager-and-nginx-ingress/

I have gotten certificates to generate and be usable.


#13

Ok, everything work fine. Thanks a lot for the tutorial.

I have got certificates that are usable, so rancher 2 is now usable for me.

The only issue remakning is:
I have clusterissuers and got the corresponding certificates.
But they do not show up in other namespaces, only the default one.
Thebehaviour is like an normal issuer i think.

Any suggestions ? A bug ?


#14

The certificates must be placed in a single namespace. There isn’t a way around that. ClusterIssuer should be visible from any namespace. I use ClusterIssuer and can use it on all of my namespaces.


#15

Hi, I am now to rancher and this forum and I try to get SSL to work for my subdomains and pods with letsencrytp. Do I realy need a external DNS? And how do I seth ths up. The tutorial from @dhawton seems to be very well writen, but I am confustend with the cloudflare stuff :confused:

Thank you very much


#16

You do not need to use an external DNS… you can use HTTP-01 validation. Cloudflare is good, and free, if you need/want external hosting and/or use DNS-01 validation.


#17

I setup Ingress shim with cert manager and it works.
When deploying a new workload, cert manager added one service discovery and one Ingress Load Balancer, both called cm-acme-http-solver-xxyy.
Now I have no idea howto use it with the domain and get the letsencrypt cert. Please visit this post and see if you can help.
TY


#19

@dhawton So are you saying, if your certificate is configured to work on say 3 sub-domains, each is hosted in their own project/namespace, then you need to make a new lets encrypt request for each project?

(This is the only way I have been able to get it to work, BTW)

If this is the case, I’m not sure what a “clusterIssuer” is for? I still need to make a request for each project.