Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingress TLS not working (K8S rancher) #399

Closed
craph opened this issue Jun 15, 2021 · 6 comments
Closed

Ingress TLS not working (K8S rancher) #399

craph opened this issue Jun 15, 2021 · 6 comments
Assignees
@tchellomello

Comments

@craph
Copy link
Contributor

craph commented Jun 15, 2021
edited
Loading

ISSUE TYPE
  • Bug Report
SUMMARY

I'm unable to configure correctly the ingress for HTTPS in AWX.

What am I doing wrong ?

ENVIRONMENT
  • AWX version: 19.2.0
  • Operator version: 0.10.0
  • Kubernetes version: Kubernetes v1.20.6
  • AWX install method: k8s rancher
STEPS TO REPRODUCE
  1. Create a secret certificate that contains private key and certificate with name "awx-certificate" (I'm using certificate issued by my entreprise CA / custom CA)
  2. Create this yaml file :
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-demo
spec:
  ingress_type: ingress
  ingress_tls_secret: awx-certificate
  hostname: awx.10.81.110.118.nip.io
  postgres_storage_class: longhorn
  1. Run kubectl apply -f myfile
EXPECTED RESULTS

I want to be able to configure Ingress to use my tls secret configured in rancher and applied to my awx instance.

ACTUAL RESULTS

In my browser when I go to https://awx.10.81.110.118.nip.io and check the certificate I don't see mine BUT I see
image

ADDITIONAL INFORMATION

I don't know if my issue is linked to this one : #376

AWX-OPERATOR LOGS
@tchellomello
Copy link
Contributor

@craph could you share how you created your awx-certificate secret?

kubectl describe secret awx-certificate

When you inspect eh ingress object, do you see the tls.secretName specified?

$ kubectl describe ingress awx-demo-ingress
$ kubectl get ingress -o yaml awx-demo-ingress

If you see it there, check the ingress controller configuration as well. Depending on the ingress configuration, sometimes if you have a different namespace, you will see this kind of behavior.

@felipe4334
Copy link

felipe4334 commented Jun 16, 2021
edited
Loading

You need to create a secret like this and assign it to your ingress rule. Cluster needs to have an Ingress controller configured for the ingress to work as well.
image

@tchellomello tchellomello self-assigned this Jun 17, 2021
@shanemcd
Copy link
Member

Sounds like this is a config error? Please let us know if this is a real bug and we'll reopen.

@craph
Copy link
Contributor Author

craph commented Sep 22, 2021

@shanemcd Sorry to answer this very late. Can you reopen this issue please ?

ie : When I deploy AWX it's on a dedicated namespace "awx".

@tchellomello I create the awx-certificate in Rancher -> Certificates -> add certificates
I added the domain : awx.10.81.110.118.nip.io and add my certificate.

kubectl describe secret awx-certificate
Name:         awx-certificate
Namespace:    default
Labels:       <none>
Annotations:  field.cattle.io/algorithm: RSA
              field.cattle.io/certFingerprint: B7:60:30:B5:74:AF:ED:59:04:90:AF:B5:9B:AF:39:45:7F:AA:2D:8C
              field.cattle.io/cn: myserver.mydomain.com
              field.cattle.io/creatorId: u-azefdsfs
              field.cattle.io/expiresAt: 2023-01-11T11:51:53Z
              field.cattle.io/issuedAt: 2021-01-11T11:51:53Z
              field.cattle.io/issuer: Company SubCA
              field.cattle.io/keySize: 256
              field.cattle.io/projectId: c-s6x5j:p-bc8xc
              field.cattle.io/serialNumber: 557521034399410790640932465229759350743437541
              field.cattle.io/subjectAlternativeNames: ["*.mydomain.com","myserver.mydomain.com"]
              field.cattle.io/version: 3
              lifecycle.cattle.io/create.secretsController_c-s6x5j: true
              secret.user.cattle.io/secret: true

Type:  kubernetes.io/tls

Data
====
tls.crt:  2861 bytes
tls.key:  1703 bytes

Here are the output for the ingress

kubectl describe ingress awx-demo-ingress -n awx
Name:             awx-demo-ingress
Namespace:        awx
Address:          10.81.110.108,10.81.110.118
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  awx-certificate terminates awx.10.81.110.118.nip.io
Rules:
  Host                      Path  Backends
  ----                      ----  --------
  awx.10.81.110.118.nip.io
                            /   awx-demo-service:80 (10.42.4.108:8052)
Annotations:                field.cattle.io/publicEndpoints:
                              [{"addresses":["10.81.110.108"],"port":443,"protocol":"HTTPS","serviceName":"awx:awx-demo-service","ingressName":"awx:awx-demo-ingress","h...
Events:                     <none>
kubectl get ingress -o yaml awx-demo-ingress -n awx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    field.cattle.io/publicEndpoints: '[{"addresses":["10.81.110.108"],"port":443,"protocol":"HTTPS","serviceName":"awx:awx-demo-service","ingressName":"awx:awx-demo-ingress","hostname":"awx.10.81.110.118.nip.io","path":"/","allNo
des":true}]'
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"labels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io
/name":"awx-demo","app.kubernetes.io/operator-version":"0.10.0","app.kubernetes.io/part-of":"awx-demo"},"name":"awx-demo-ingress","namespace":"awx"},"spec":{"rules":[{"host":"awx.10.81.110.118.nip.io","http":{"paths":[{"backend":
{"serviceName":"awx-demo-service","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["awx.10.81.110.118.nip.io"],"secretName":"awx-certificate"}]}}'
  creationTimestamp: "2021-06-15T16:49:56Z"
  generation: 1
  labels:
    app.kubernetes.io/component: awx
    app.kubernetes.io/managed-by: awx-operator
    app.kubernetes.io/name: awx-demo
    app.kubernetes.io/operator-version: 0.10.0
    app.kubernetes.io/part-of: awx-demo
  managedFields:
  - apiVersion: extensions/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:labels:
          .: {}
          f:app.kubernetes.io/component: {}
          f:app.kubernetes.io/managed-by: {}
          f:app.kubernetes.io/name: {}
          f:app.kubernetes.io/operator-version: {}
          f:app.kubernetes.io/part-of: {}
        f:ownerReferences:
          .: {}
          k:{"uid":"c8676e8a-5d15-47ec-a59d-1b51e3ac72d2"}:
            .: {}
            f:apiVersion: {}
            f:kind: {}
            f:name: {}
            f:uid: {}
      f:spec:
        f:rules: {}
        f:tls: {}
    manager: Swagger-Codegen
    operation: Update
    time: "2021-06-15T16:49:56Z"
  - apiVersion: networking.k8s.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:loadBalancer:
          f:ingress: {}
    manager: nginx-ingress-controller
    operation: Update
    time: "2021-06-15T16:50:38Z"
  - apiVersion: extensions/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:field.cattle.io/publicEndpoints: {}
    manager: rancher
    operation: Update
    time: "2021-06-15T16:50:38Z"
  name: awx-demo-ingress
  namespace: awx
  ownerReferences:
  - apiVersion: awx.ansible.com/v1beta1
    kind: AWX
    name: awx-demo
    uid: c8676e8a-5d15-47ec-a59d-1b51e3ac72d2
  resourceVersion: "32532468"
  uid: bb2c53fb-19a4-455e-842a-b75f04f1b997
spec:
  rules:
  - host: awx.10.81.110.118.nip.io
    http:
      paths:
      - backend:
          service:
            name: awx-demo-service
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - awx.10.81.110.118.nip.io
    secretName: awx-certificate
status:
  loadBalancer:
    ingress:
    - ip: 10.81.110.108
    - ip: 10.81.110.118

When I inspect the certificate I see :
image

Now it says that the certificate is untrusted. I think I missed something ?

Can you help me ?

Thank you.
Best regards,

@craph
Copy link
Contributor Author

craph commented Sep 22, 2021

I created from scratch a new ingress in rancher with the name : awx-demo3.10.81.110.118.nip.io with the dedicated certificate and I always see : Kubernetes Ingress Controller Fake Certificate

curl -Ivk https://awx-demo3.10.81.110.118.nip.io/
* About to connect() to awx-demo3.10.81.110.118.nip.io port 443 (#0)
*   Trying 10.81.110.118...
* Connected to awx-demo3.10.81.110.118.nip.io (10.81.110.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co
*       start date: Sep 20 01:24:39 2021 GMT
*       expire date: Sep 20 01:24:39 2022 GMT
*       common name: Kubernetes Ingress Controller Fake Certificate
*       issuer: CN=Kubernetes Ingress Controller Fake Certificate,O=Acme Co

@Keith-Nowosielski-SJSU
Copy link

I'm running into the same issue where there's no good documentation on adding a cert for awx deployments. I'm not sure if this is still an issue for you because it's been stale for a couple of years now, but it looks to me like you're using the rancher certificate manager and it looks like it's decided to use a self-signed (fake) cert.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tchellomello tchellomello

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@shanemcd @tchellomello @felipe4334 @craph @Keith-Nowosielski-SJSU