skip to Main Content

I installed kubernetes in Hetner based on the repository.

I am using godaddy as DNS management

I have install cert manager in the cluster. I took it from here.

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

Load balancer:

apiVersion: v1
kind: Service
metadata:
  name: example-lb
  annotations:
    load-balancer.hetzner.cloud/location: hel1

spec:
  selector:
    app: example

  ports:
    - port: 80
      targetPort: 5678
  type: LoadBalancer

Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
spec:
  selector:
    matchLabels:
      app: example
  replicas: 1
  template:
    metadata:
      labels:
        app: example
    spec:
      containers:
        - name: echo1
          image: hashicorp/http-echo
          args:
            - "-text=echo1"
          ports:
            - containerPort: 5678

Load balancer got 32695 port

enter image description here

I open firewall for 32695 and 80 ports.

enter image description here

I made an A record to connect my load balancer with subdomain.

I can connect to my pod through the http URL.

ClusterIssuer manifest:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
    - http01:
        ingress:
          class: nginx

Certificate manifest

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: secure-homekube-io
  namespace: default
spec:
  secretName: secure-homekube-io-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - my-org
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  dnsNames:
    - my.sub.domain
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io

The question is why certificate has false status?

enter image description here

Update

Describe Challenges:

Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "some.sensitive.data." but got: echo1 

Similar issue.

2

Answers


  1. Chosen as BEST ANSWER
    1. Create Hetzner project with next config:
    hetzner_token: 
    cluster_name: echo
    kubeconfig_path: "./kubeconfig"
    k3s_version: v1.26.4+k3s1
    public_ssh_key_path: "~/.ssh/id_rsa.pub"
    private_ssh_key_path: "~/.ssh/id_rsa"
    use_ssh_agent: false # set to true if your key has a passphrase or if SSH connections don't work or seem to hang without agent. See https://github.com/vitobotta/hetzner-k3s#limitations
    # ssh_port: 22
    ssh_allowed_networks:
     - 0.0.0.0/0 # ensure your current IP is included in the range
    api_allowed_networks:
     - 0.0.0.0/0 # ensure your current IP is included in the range
    private_network_subnet: 10.0.0.0/16 # ensure this doesn't overlap with other networks in the same project
    disable_flannel: false # set to true if you want to install a different CNI
    schedule_workloads_on_masters: false
    cloud_controller_manager_manifest_url: "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.18.0/ccm-networks.yaml"
    csi_driver_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.5.1/deploy/kubernetes/hcloud-csi.yml"
    system_upgrade_controller_manifest_url: "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml"
    masters_pool:
      instance_type: cx11
      instance_count: 1
      location: hel1
    worker_node_pools:
     - name: small-static
        instance_type: cx21
        instance_count: 1
        location: hel1
    
    1. Install ingress-nginx
    helm upgrade --install 
    ingress-nginx ingress-nginx/ingress-nginx 
    -f value.yaml 
    --namespace ingress-nginx 
    --create-namespace
    

    value file:

    controller:
      kind: DaemonSet
      metrics:
        enabled: true
      
      service:
        annotations:
          load-balancer.hetzner.cloud/location: hel1
          load-balancer.hetzner.cloud/name: lb
          load-balancer.hetzner.cloud/use-private-ip: "true"
          load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
          load-balancer.hetzner.cloud/hostname: sub.domain.name
          load-balancer.hetzner.cloud/http-redirect-https: 'false'
      replicaCount: 2
      config:
        use-proxy-protocol: "true"
    
    1. install Cert-manager
    helm upgrade --install 
    --namespace cert-manager 
    --create-namespace 
    --set installCRDs=true 
    cert-manager jetstack/cert-manager
    
    1. Connect load-balancer public IP to your DNS

    2. apply Cluster issuer:

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: letsencrypt-prod
      namespace: cert-manager
    spec:
      acme:
        email: [email protected]
        server: https://acme-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
          name: letsencrypt-issuer-account-key
        solvers:
          - http01:
              ingress:
                class: nginx
    
    1. Apply Certificate:
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: secure-homekube-io
      namespace: default
    spec:
      secretName: secure-homekube-io-tls
      duration: 2160h # 90d
      renewBefore: 360h # 15d
      subject:
        organizations:
          - some-org
      isCA: false
      privateKey:
        algorithm: RSA
        encoding: PKCS1
        size: 2048
      usages:
        - server auth
        - client auth
      dnsNames:
        - sub.domain.name
      issuerRef:
        name: letsencrypt-prod
        kind: ClusterIssuer
        group: cert-manager.io
    

    7 Ingress, service and deployment for test

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: ingress-test
      namespace: ingress-nginx
      annotations:
        kubernetes.io/ingress.class: "nginx"
        cert-manager.io/cluster-issuer: letsencrypt-prod
    spec:
      rules:
        - host: sub.domain.name
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: echo
                    port:
                      number: 80
      tls:
        - hosts:
            - sub.domain.name
          secretName: secure-homekube-io-tls
    
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: echo
      namespace: ingress-nginx
    
    spec:
      selector:
        app: echo
      ports:
        - protocol: TCP
          port: 80
          targetPort: 5678
    
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: echo
      namespace: ingress-nginx
      labels:
        app: echo
    
    spec:
      selector:
        matchLabels:
          app: echo
      replicas: 1
      template:
        metadata:
          labels:
            app: echo
        spec:
          containers:
            - name: echo1
              image: hashicorp/http-echo
              args:
                - "-text=echo1"
              ports:
                - containerPort: 5678
    

  2. i think the issue might be in one or more of the following:

    1- Well, I have no experience with hetzner cloud, but as per the link you provided, the annotations of load-balancer requires two annotations. however, you added only one of them

    if your case requires communication with public IP, then adjust your firewall and add yours.

    2- in the cluster issuer manifest, you configured the solver to http01 not dns i think the correct one is:

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: godaddy-issuer
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        email: [email protected]
        privateKeySecretRef:
          name: godaddy-issuer-key
        solvers:
        - dns01:
            godaddy:
              apiKeySecretRef:
                name: godaddy-api-key
                key: key
              keyName: your-key
              ttl: 600
    
    

    then update the certificate and make sure that your subdomain is configured correctly and the a record exists in godaddy and routes to the desired IP.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search