cert-manager | Automatically provision and manage TLS certificates | TLS library
kandi X-RAY | cert-manager Summary
kandi X-RAY | cert-manager Summary
Automatically provision and manage TLS certificates in Kubernetes
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of cert-manager
cert-manager Key Features
cert-manager Examples and Code Snippets
Community Discussions
Trending Discussions on cert-manager
QUESTION
We are using Linkerd 2.11.1 on Azure AKS Kubernetes. Amongst others there is a Deployment using using an Alpine Linux image containing Apache/mod_php/PHP8 serving an API. HTTPS is resolved by Traefik v2 with cert-manager, so that in coming traffic to the APIs is on port 80. The Linkerd proxy container is injected as a Sidecar.
Recently I saw that the API containers return 504 errors during a short period of time when doing a Rolling deployment. In the Sidecars log, I found the following :
...ANSWER
Answered 2022-Mar-04 at 01:07 annotations = {
"config.linkerd.io/inbound-port" = "80"
}
QUESTION
We've an application and API, running on kubernetes on Azure, using an nginx-ingress and cert-manager which automatically creates letsencrypt certificates. The connection to the application/API is encrypted with TLS1.3.
From an older application, running on a Win 2012 server, we want to retrieve data from the API (on k8s). This isn't successful, since TLS1.3 isn't supported on that server.
I'd like to set the minimum version of TLS to 1.2 on kubernetes. How can I achieve that?
I've read, that with kubelet, the tls-min-version can be configured, but I don't know how to apply this.
Note: we use az aks create
to create the k8s clusters.
ANSWER
Answered 2022-Feb-17 at 12:11As your win server connects to the application on K8s you have to set the version of TLS on the Nginx ingress level.
Nginx ingress & cert-manager is point where you server connects and access API so you just have to update the TLS version of Nginx.
You can do it by changing the config map for Nginx ingress controller. Also, you might need to update the certificate also, there could be a chance by default Let's encrypt(CA) providing the default TLS 1.3.
So after enabling TLS 1.2 for Nginx you might need to re-generate the cert-manager secret(certificate).
Configmap Nginx ingress controller
QUESTION
I don't undestand why i can't get certificates on K8S using cert-manager
I installed cert-manager : https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
I created ClusterIssuer
...
ANSWER
Answered 2022-Feb-15 at 08:56Certificates are not created automatically by cert-manager. You have to create a YAML yourself. And use the issuer name that you have already created
QUESTION
I created a TLS-enabled service with AWS PCA and cert-manager by this post: https://aws.amazon.com/blogs/security/tls-enabled-kubernetes-clusters-with-acm-private-ca-and-amazon-eks-2/
After I deployed a demo application with ingress, I tested access on control node
...ANSWER
Answered 2022-Jan-06 at 08:49Check your ingress configuration, share the YAML config-if possible which you have used with application deployment.
there could be chances there is not secret attached to ingress, due to that K8s Nginx ingress controller by default attaching the default FAKE cert instead of your generated cert.
For example :
QUESTION
I'm trying to deploy an elixir (phoenix) application in a microk8s cluster namespace with TLS using let's encrypt. The cluster is hosted on an AWS EC2 instance.
The problem I'm facing- The ingress is created in the namespace
- ingress routes to the correct domain
- the application is working and displayed on the given domain
The TLS secret is not being created in the namespace and a 'default' one is created
The secrets after deploying both phoenix app and httpbin app:
...ANSWER
Answered 2022-Jan-06 at 22:47I found out that you can actually check for certificates with kubectl:
kubectl get certificate -n production
The status of this certificate was READY = FALSE.
I checked the description:
kubectl describe certificate -n production
At the bottom it said: Too many certificates have been created in the last 164 hours for this exact domain.
I just changed the domain and voila! It works.
QUESTION
I have an Elasticsearch DB running on Kubernetes exposed to my_domain.com/elastic
as an Istio virtual service, which I have no problem accessing via the browser (as in I get to login successfully to the endpoint). I can also query the DB with Python's Requests. But I can't access the DB with the official python client if I use my_domain.com/elastic
. The LoadBalancer IP works perfectly well even with the client. What am I missing? I have SSL certificates set up for my_domain.com via Cert-Manager and CloudFlare.
This works:
...ANSWER
Answered 2021-Dec-30 at 09:56I have reproduced your problem and the solution is as follows. First, pay attention to your yaml file:
QUESTION
I managed to install kubernetes 1.22, longhorn, kiali, prometheus and istio 1.12 (profile=minimal) on a dedicated server at a hosting provider (hetzner).
I then went on to test httpbin with an istio ingress gateway from the istio tutorial. I had some problems making this accessible from the internet (I setup HAProxy to forward local port 80 to the dynamic port that was assigned in kubernetes, so port 31701/TCP in my case)
How can I make kubernetes directly available on bare metal interface port 80 (and 443).
I thought I found the solution with metallb but I cannot make that work so I think it's not intended for that use case. (I tried to set EXTERNAL-IP to the IP of the bare metal interface but that doesn't seem to work)
My HAProxy setup is not working right now for my SSL traffic (with cert-manager on kubernetes) but before I continue looking into that I want to make sure. Is this really how you are suppose to route traffic into kubernetes with an istio gateway configuration on bare metal?
I came across this but I don't have an external Load Balancer nor does my hosting provider provide one for me to use.
...ANSWER
Answered 2021-Dec-14 at 09:31Posted community wiki answer for better visibility based on the comment. Feel free to expand it.
The solution for the issue is:
I setup HAProxy in combination with Istio gateway and now it's working.
The reason:
I think the reason why SSL was not working was because istio.io/latest/docs/setup/additional-setup/gateway creates the ingress gateway in a different namespace (
istio-ingress
) from the rest of the tutorials (istio-system
).
QUESTION
I am following the devops guy tutorial for setting up CERT manager.
Steps:
Create new kind cluster
...ANSWER
Answered 2021-Dec-14 at 12:19Posted community wiki answer for better visibility based on the OP edit in the main question. Feel free to expand it.
The solution for the issue is to upgrade to the current, supported version (from the OP edit in main question):
I actually updated to the latest cert-manager (v.1.6.1) and did the exact same steps. It seems to work. Maybe it was bug in that version. Weird!
Version 1.6.1 is currently supported (as of today - 14.12.2021) until Feb 9, 2022.
Version 1.0.4 is outdated, not supported since Feb 10, 2021.
QUESTION
I'm struggling to expose a service in an AWS cluster to outside and access it via a browser. Since my previous question haven't drawn any answers, I decided to simplify the issue in several aspects.
First, I've created a deployment which should work without any configuration. Based on this article, I did
kubectl create namespace tests
created file
...probe-service.yaml
based onpaulbouwer/hello-kubernetes:1.8
and deployed itkubectl create -f probe-service.yaml -n tests
:
ANSWER
Answered 2021-Nov-16 at 13:46Well, I haven't figured this out for ArgoCD yet (edit: figured, but the solution is ArgoCD-specific), but for this test service it seems that path resolving is the source of the issue. It may be not the only source (to be retested on test2 subdomain), but when I created a new subdomain in the hosted zone (test3, not used anywhere before) and pointed it via A
entry to the load balancer (as "alias" in AWS console), and then added to the ingress a new rule with /
path, like this:
QUESTION
I am trying to write the nginx ingress config for my k8s cluster.
...ANSWER
Answered 2021-Nov-25 at 09:04OP has confirmed, that the issue was solved in this github topic
it was exactly the issue you mentioned, thanks for your help
This problem is related to CVE-2021-25742. Problem is solved based on this message:
Hi folks we just released Ingress NGINX v1.0.5. Thanks to @rikatz who helped implement
#7874 which added the option to sanitize annotation inputs
annotation-value-word-blocklist
defaults are"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"
Users from mod_security and other features should be aware that some blocked values may be used by those features and must be manually unblocked by the Ingress Administrator.
For more details please check https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist
If you have any issues with this new feature or the release please open a new issue so we can track it there.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install cert-manager
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page