Nginx Question posted in
The official documentation can be found here.

Why my "Certificate" object and "Ingress" both are creating Certificates? – Nginx

Why my "Certificate" object and "Ingress" both are creating Certificates ?

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: blog-app-crt
spec:
  secretName: blog-app-crt-sec
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  commonName: blog.mydomain.com
  dnsNames:
    - blog.mydomain.com




apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # Email address used for ACME registration
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Name of a secret used to store the ACME account private key
      name: letsencrypt-production-private-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: nginx                      
    nginx.ingress.kubernetes.io/rewrite-target: /$1         
    cert-manager.io/cluster-issuer: "letsencrypt-prod"       
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'        

spec:
  tls:
    - hosts:                                                
        - blog.mydomain.com
      secretName: blog-app-crt-sec                      
      
  rules:                                                    
    - host: blog.mydomain.com                                         
      http:                                                 
        paths:                                              
          - pathType: Prefix
            path: "/?(.*)"                                    
            backend:
              service:
                name: app-1-endpoint
                port: 
                  number: 5000                            
          - pathType: Prefix
            path: "/tribute/?(.*)"
            backend:
              service:
                name: app-2-endpoint
                port: 
                  number: 5001

When I create above objects, it is creating 2 Certificate ojects, both pointing to same secret.

  1. blog-app-crt-sec
  2. blog-app-crt

How can I create Only 1 Certificate ? If I create only a ClusterIssuer without any custom certificate, then of course that will solve the issue, but I want to create a Custom certificate to control the renewal stuff.

Tags:

2

Answers


  1. 0

    There is a component of cert-manager called ingress-shim that watches Ingress resources and automatically creates Certificate objects for you when some annotations are present. This way, you wouldn’t even need to create the Certificate object on your own.

    Please check your ingress definition for corresponding cert-manager.io scoped annotations and either use those or the manually created certificate. I assume you refer to the secret named blog-app-crt in your ingress definition. This needs to match what is defined in the cert spec secretName if you don’t use the automated creation!

    For details on automatic certificate creation, please check the cert-manager docs on ingress: https://cert-manager.io/docs/usage/ingress/

    Login or Signup to reply.
  2. 0

    In your case:

    1. Annotation cert-manager.io/cluster-issuer tells that Ingress for generating certificates to your host (annotation on Ingress configuration plays a big role in the background).
    2. That certificate configuration with kind: Certificate is also telling you to generate the certificate for your host.

    You can either choose one of them on your configuration.

    The best one for you is to drop that kind: Certificate configuration.

    When do we drop the annotation and use the certificate?

    For example, you have a.host.com, b.host.com, c.host.com and want to generate a single certificate and use it in multiple places, i.e. either in Ingress or in other TCP SSL configurations.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search