skip to Main Content

I’m new to K3s, and have struggle with this step for a few days.

Environment: Ubuntu 20.04 | K3s installation without Traefik.

K3s installation script:

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -

Nginx ingress installation script

helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress

Cert-manager installation script

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install 
  cert-manager jetstack/cert-manager 
  --namespace cert-manager 
  --create-namespace 
  --version v1.3.1 
  --set installCRDs=true

Verified with Cert-manager verifier

Create a testing namespace to play with kubectl create ns practice-cls

Test service deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kuard
  namespace: practice-cls
spec:
  selector:
    matchLabels:
      app: kuard
  replicas: 1
  template:
    metadata:
      labels:
        app: kuard
    spec:
      containers:
        - image: gcr.io/kuar-demo/kuard-amd64:1
          imagePullPolicy: Always
          name: kuard
          ports:
            - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: kuard
  namespace: practice-cls
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: kuard

Issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

service ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  namespace: practice-cls
  annotations:
    cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
  tls:
  - hosts:
    - example.example.com
    secretName: quickstart-example-tls
  rules:
  - host: example.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kuard
            port:
              number: 80
  ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls

Name:             kuard
Labels:           <none>
Namespace:        practice-cls
Address:          10.227.224.141
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  quickstart-example-tls terminates example.example.com
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  example.example.com  
                       /   kuard:80 (10.42.0.76:8080)
Annotations:           cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
  Type     Reason                     Age   From                      Message
  ----     ------                     ----  ----                      -------
  Warning  AddedOrUpdatedWithWarning  6m9s  nginx-ingress-controller  Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type

I don’t know if there was anything wrong with this, the kuard image was just a tutorial service from cert-manager. And I got ERR_SSL_UNRECOGNIZED_NAME_ALERT from the manifests above.

Let me know if there’s some more information to troubleshoot this.

Thank you guys

2

Answers


  1. Chosen as BEST ANSWER

    After a while searching and experiment, I manage to handle this by:

    Using K8s nginx ingress instead of the official one provide by nginx themself

    Enable SSL passthrough either by editing the deployment of nginx controller or enable that right when installing


  2. The nginx ingress controller (produced by Nginx, the company), has picky code that will not support the default Opaque Secret type for the TLS secret. Check that your "quickstart-example-tls" Secret has its type set to: kubernetes.io/tls, or one of the supported types in their list.

    // IsSupportedSecretType checks if the secret type is supported.
    func IsSupportedSecretType(secretType api_v1.SecretType) bool {
        return secretType == api_v1.SecretTypeTLS ||
            secretType == SecretTypeCA ||
            secretType == SecretTypeJWK ||
            secretType == SecretTypeOIDC
    }
    

    The community supported Kubernetes Nginx Ingress Controller does not have this restriction, and supports Opaque secret types just fine.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search