Hetzler LB, cert-manager, nginx-ingress example

Question

I installed kubernetes in Hetner based on the repository.

I am using godaddy as DNS management

I have install cert manager in the cluster. I took it from here.

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

Load balancer:

apiVersion: v1
kind: Service
metadata:
  name: example-lb
  annotations:
    load-balancer.hetzner.cloud/location: hel1

spec:
  selector:
    app: example

  ports:
    - port: 80
      targetPort: 5678
  type: LoadBalancer

Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
spec:
  selector:
    matchLabels:
      app: example
  replicas: 1
  template:
    metadata:
      labels:
        app: example
    spec:
      containers:
        - name: echo1
          image: hashicorp/http-echo
          args:
            - "-text=echo1"
          ports:
            - containerPort: 5678

Load balancer got 32695 port

I open firewall for 32695 and 80 ports.

I made an A record to connect my load balancer with subdomain.

I can connect to my pod through the http URL.

ClusterIssuer manifest:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
    - http01:
        ingress:
          class: nginx

Certificate manifest

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: secure-homekube-io
  namespace: default
spec:
  secretName: secure-homekube-io-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - my-org
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  dnsNames:
    - my.sub.domain
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io

The question is why certificate has false status?

Update

Describe Challenges:

Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "some.sensitive.data." but got: echo1 

Similar issue.

Answer 1

1. Create Hetzner project with next config:

hetzner_token: 
cluster_name: echo
kubeconfig_path: "./kubeconfig"
k3s_version: v1.26.4+k3s1
public_ssh_key_path: "~/.ssh/id_rsa.pub"
private_ssh_key_path: "~/.ssh/id_rsa"
use_ssh_agent: false # set to true if your key has a passphrase or if SSH connections don't work or seem to hang without agent. See https://github.com/vitobotta/hetzner-k3s#limitations
# ssh_port: 22
ssh_allowed_networks:
 - 0.0.0.0/0 # ensure your current IP is included in the range
api_allowed_networks:
 - 0.0.0.0/0 # ensure your current IP is included in the range
private_network_subnet: 10.0.0.0/16 # ensure this doesn't overlap with other networks in the same project
disable_flannel: false # set to true if you want to install a different CNI
schedule_workloads_on_masters: false
cloud_controller_manager_manifest_url: "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.18.0/ccm-networks.yaml"
csi_driver_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.5.1/deploy/kubernetes/hcloud-csi.yml"
system_upgrade_controller_manifest_url: "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml"
masters_pool:
  instance_type: cx11
  instance_count: 1
  location: hel1
worker_node_pools:
 - name: small-static
    instance_type: cx21
    instance_count: 1
    location: hel1

2. Install ingress-nginx

helm upgrade --install \
ingress-nginx ingress-nginx/ingress-nginx \
-f value.yaml \
--namespace ingress-nginx \
--create-namespace

value file:

controller:
  kind: DaemonSet
  metrics:
    enabled: true
  
  service:
    annotations:
      load-balancer.hetzner.cloud/location: hel1
      load-balancer.hetzner.cloud/name: lb
      load-balancer.hetzner.cloud/use-private-ip: "true"
      load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
      load-balancer.hetzner.cloud/hostname: sub.domain.name
      load-balancer.hetzner.cloud/http-redirect-https: 'false'
  replicaCount: 2
  config:
    use-proxy-protocol: "true"

3. install Cert-manager

helm upgrade --install \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
cert-manager jetstack/cert-manager

4. Connect load-balancer public IP to your DNS

5. apply Cluster issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
      - http01:
          ingress:
            class: nginx

6. Apply Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: secure-homekube-io
  namespace: default
spec:
  secretName: secure-homekube-io-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - some-org
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  dnsNames:
    - sub.domain.name
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io

7 Ingress, service and deployment for test

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-test
  namespace: ingress-nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  rules:
    - host: sub.domain.name
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: echo
                port:
                  number: 80
  tls:
    - hosts:
        - sub.domain.name
      secretName: secure-homekube-io-tls

---
apiVersion: v1
kind: Service
metadata:
  name: echo
  namespace: ingress-nginx

spec:
  selector:
    app: echo
  ports:
    - protocol: TCP
      port: 80
      targetPort: 5678

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo
  namespace: ingress-nginx
  labels:
    app: echo

spec:
  selector:
    matchLabels:
      app: echo
  replicas: 1
  template:
    metadata:
      labels:
        app: echo
    spec:
      containers:
        - name: echo1
          image: hashicorp/http-echo
          args:
            - "-text=echo1"
          ports:
            - containerPort: 5678

Answer 2

i think the issue might be in one or more of the following:

1- Well, I have no experience with hetzner cloud, but as per the link you provided, the annotations of load-balancer requires two annotations. however, you added only one of them

if your case requires communication with public IP, then adjust your firewall and add yours.

2- in the cluster issuer manifest, you configured the solver to http01 not dns i think the correct one is:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: godaddy-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: godaddy-issuer-key
    solvers:
    - dns01:
        godaddy:
          apiKeySecretRef:
            name: godaddy-api-key
            key: key
          keyName: your-key
          ttl: 600

then update the certificate and make sure that your subdomain is configured correctly and the a record exists in godaddy and routes to the desired IP.