Why my "Certificate" object and "Ingress" both are creating Certificates ?
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: blog-app-crt
spec:
secretName: blog-app-crt-sec
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
commonName: blog.mydomain.com
dnsNames:
- blog.mydomain.com
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Email address used for ACME registration
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Name of a secret used to store the ACME account private key
name: letsencrypt-production-private-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
tls:
- hosts:
- blog.mydomain.com
secretName: blog-app-crt-sec
rules:
- host: blog.mydomain.com
http:
paths:
- pathType: Prefix
path: "/?(.*)"
backend:
service:
name: app-1-endpoint
port:
number: 5000
- pathType: Prefix
path: "/tribute/?(.*)"
backend:
service:
name: app-2-endpoint
port:
number: 5001
When I create above objects, it is creating 2 Certificate ojects, both pointing to same secret.
- blog-app-crt-sec
- blog-app-crt
How can I create Only 1 Certificate ? If I create only a ClusterIssuer without any custom certificate, then of course that will solve the issue, but I want to create a Custom certificate to control the renewal stuff.
2
Answers
There is a component of
cert-manager
calledingress-shim
that watchesIngress
resources and automatically createsCertificate
objects for you when some annotations are present. This way, you wouldn’t even need to create the Certificate object on your own.Please check your ingress definition for corresponding
cert-manager.io
scoped annotations and either use those or the manually created certificate. I assume you refer to the secret namedblog-app-crt
in your ingress definition. This needs to match what is defined in the cert specsecretName
if you don’t use the automated creation!For details on automatic certificate creation, please check the cert-manager docs on ingress: https://cert-manager.io/docs/usage/ingress/
In your case:
cert-manager.io/cluster-issuer
tells that Ingress for generating certificates to your host (annotation on Ingress configuration plays a big role in the background).kind: Certificate
is also telling you to generate the certificate for your host.You can either choose one of them on your configuration.
The best one for you is to drop that
kind: Certificate
configuration.When do we drop the annotation and use the certificate?
For example, you have
a.host.com
,b.host.com
,c.host.com
and want to generate a single certificate and use it in multiple places, i.e. either in Ingress or in other TCP SSL configurations.