I’m new to K3s, and have struggle with this step for a few days.
Environment: Ubuntu 20.04 | K3s installation without Traefik.
K3s installation script:
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -
Nginx ingress installation script
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress
Cert-manager installation script
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install
cert-manager jetstack/cert-manager
--namespace cert-manager
--create-namespace
--version v1.3.1
--set installCRDs=true
Verified with Cert-manager verifier
Create a testing namespace to play with kubectl create ns practice-cls
Test service deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuard
namespace: practice-cls
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kuard
namespace: practice-cls
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app: kuard
Issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
namespace: cert-manager
spec:
selfSigned: {}
service ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: practice-cls
annotations:
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80
ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls
Name: kuard
Labels: <none>
Namespace: practice-cls
Address: 10.227.224.141
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
quickstart-example-tls terminates example.example.com
Rules:
Host Path Backends
---- ---- --------
example.example.com
/ kuard:80 (10.42.0.76:8080)
Annotations: cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning AddedOrUpdatedWithWarning 6m9s nginx-ingress-controller Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type
I don’t know if there was anything wrong with this, the kuard image was just a tutorial service from cert-manager. And I got ERR_SSL_UNRECOGNIZED_NAME_ALERT from the manifests above.
Let me know if there’s some more information to troubleshoot this.
Thank you guys
2
Answers
After a while searching and experiment, I manage to handle this by:
Using K8s nginx ingress instead of the official one provide by nginx themself
Enable SSL passthrough either by editing the deployment of nginx controller or enable that right when installing
The nginx ingress controller (produced by Nginx, the company), has picky code that will not support the default Opaque Secret type for the TLS secret. Check that your "quickstart-example-tls" Secret has its type set to: kubernetes.io/tls, or one of the supported types in their list.
The community supported Kubernetes Nginx Ingress Controller does not have this restriction, and supports Opaque secret types just fine.