tls-cert | Simplify creation of TLS certificates | TLS library

Turns out it was a glitch from Github. After switching the domain from www.domain.com to domain.com then back to www.domain.com twice, the certificate was provisioned.

For any one facing the same issue, it seems the server was using a non routed CA for the server certificates, the solution I found was to use the CertificateValidation callback of StackExchange.Redis library with the following code

If anyone comes across this problem in the future, make sure your ingress is properly configured. The error message suggests that its a misconfiguration with the ingress.

To answer your question, because gateway and virtualservice can't be in different namespaces, actually they can be in a different namespaces.

If it´s not in the same namespace as virtual service you just have to specify that namespace in your virtual service spec.gateways.

Check the spec.gateways section

The problem was in certificate generation:

openssl req -x509 -new -nodes -sha256 -key ca.key -days 365 -subj '/O=A/CN=127.0.0.1' -out ca.crt openssl genrsa -out redis.key 2048

openssl req -new -sha256 -nodes -key redis.key -subj '/O=A/CN=127.0.0.1' | openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAserial /etc/ssl/private/ca.txt -CAcreateserial -days 365 -out redis.crt

CN should be different –

The nginx ingress controller supports canary deployments through the Canary Annotations

In some cases, you may want to "canary" a new set of changes by sending a small number of requests to a different service than the production service. The canary annotation enables the Ingress spec to act as an alternative service for requests to route to depending on the rules applied. The following annotations to configure canary can be enabled after nginx.ingress.kubernetes.io/canary: "true" is set:

• nginx.ingress.kubernetes.io/canary-weight: The integer based (0 - 100) percent of random requests that should be routed to the service specified in the canary Ingress. A weight of 0 implies that no requests will be sent to the service in the Canary ingress by this canary rule. A weight of 100 means implies all requests will be sent to the alternative service specified in the Ingress.

Note that when you mark an ingress as canary, then all the other non-canary annotations will be ignored (inherited from the corresponding main ingress) except nginx.ingress.kubernetes.io/load-balance and nginx.ingress.kubernetes.io/upstream-hash-by.

Known Limitations

Currently a maximum of one canary ingress can be applied per Ingress rule.

In other words, you can introduce a new Ingress Object my-ingress-canary where you set the annotations

• nginx.ingress.kubernetes.io/canary: "true" (Tells Nginx Ingress to mark this one as “Canary” and associate this ingress with the main ingress by matching host and path.

• nginx.ingress.kubernetes.io/canary-weight: "10" (Route ten percent traffic to load-balancer-2)

Google has a "miscellaneous" SSL certificate that certifies connections to cloudfunctions.net and it's subdomains called misc.google.com (which isn't a website) (this certificate is shared by 150+ miscellaneous domains under the Google umbrella). This certificate is used whenever you try to connect to one of your cloud functions when it's web address starts with https://-.cloudfunctions.net. You can see this certificate for yourself by visiting the URL of one of your functions and obtaining the certificate from the padlock icon next to the URL.

You can use rewrites on Firebase Hosting to serve your Cloud Functions from the same domain as your website and these connections will use the same SSL certificate issued to your domain. In a similar fashion to the cloudfunctions.net domain, the certificate used for this is shared amongst around 100 unrelated domains hosted using Firebase Hosting (which helps keep costs down for Firebase, but not harming security all too much).

Note: When hosting functions behind Firebase Hosting, the results of your functions may be cached by the Firebase Hosting CDN and because the CDN is internal to the Firebase network, your function may be called using only HTTP rather than HTTPS. As an example, if you have a HTTPS Function called somefunction at https://functionsexample.com/somefunction, in addition to using the SSL certificate for functionsexample.com, the request will first hit the Firebase CDN, and if not cached, the CDN will call http://-.cloudfunction.net/somefunction (with x-appengine-* headers) and pass the result back, caching it as appropriate. In my experience you can detect these "HTTP-call-from-the-CDN" requests by looking at the x-appengine-https header. (This last bit of info may be outdated, probably subject to change at any time and likely to be corrected in this answer's comments by Frank, Doug or an actual Firebase staff member)

The primary difference between htop and ps aux is that htop shows each individual thread belonging to a process rather than the process only - this is similar to ps auxm. Using the htop interactive command H, you can hide threads to get to a list that more closely corresponds to ps aux.

In terms of memory usage, those additional entries representing individual threads do not affect the actual memory usage total because threads share the address space of the associated process.

RSS (resident set size) in general is problematic because it does not adequately represent shared pages (due to shared memory or copy-on-write) for your purpose - the sum can be higher than expected in those cases. You can use smem -t to get a better picture with the PSS (proportional set size) column. Based on the facts you provided, that is not your issue, though.

In your case, it might make sense to dig deeper via smem -tw to get a memory usage breakdown that includes (non-cache) kernel resources. /proc/meminfo provides further details.

Ahh, SOLVED! I was putting wrong CA chain. I had to chain root and intermediate certs downloaded from LE website into new file. It may come handy for someone with same problem.