Uploaded image for project: 'MicroShift'
  1. MicroShift
  2. USHIFT-5912

cert-manager with acme - http01 solver does not work well with default Ingress

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • openshift-4.20
    • None
    • None
    • uShift Sprint 274
    • None
    • None
    • None

      Description of problem:

      When trying to test http01 solver with default Ingress in microshift it does not work because there is no IngressClassName.
      cert-manager expects to set the ingressClassName field on the temporary Ingress it creates for the challenge. If the corresponding IngressClass resource doesn't exist, even if MicroShift's router could handle it, cert-manager might not trust that it will, or it might be configured to explicitly look for an IngressClass definition. The absence of the IngressClass means the "glue" is missing for cert-manager to confidently direct the challenge to the router
      

      Version-Release number of selected component (if applicable):

      4.20
      

      How reproducible:

      Always
      

      Steps to Reproduce:

      1. Install microshift 4.20 cluster
      2. Install cert-manager rpms
      3. create namespace using command oc create ns test-cert-manager
      4. create acme issuer using the yaml file below
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: letsencrypt-http01
      spec:
        acme:
          privateKeySecretRef:
            name: acme-account-key
          server: https://acme-staging-v02.api.letsencrypt.org/directory
          solvers:
          - http01:
              ingress:
               ingressClassName: openshift-default
      5. create a certificate using the yaml file below
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: cert-from-letsencrypt-http01
      spec:
        commonName: microshift.gcp.devcluster.openshift.com
        dnsNames:
        - microshift.gcp.devcluster.openshift.com
        duration: 1h
        issuerRef:
          group: cert-manager.io
          kind: Issuer
          name: letsencrypt-http01
        renewBefore: 58m
        secretName: cert-from-letsencrypt-http01
        usages:
        - server auth
      
      

      Actual results:

      certificate never becomes ready
      

      Expected results:

      certificate should become ready
      

      Additional info:

      After creating an ingress class as below and updating issuer with the class name below, certificate became ready.
      apiVersion: networking.k8s.io/v1
      kind: IngressClass
      metadata:
        name: openshift-ingress
      spec:
        controller: openshift.io/ingress-to-route
      
      https://cert-manager.io/docs/configuration/acme/http01/#ingressclassname
      

              eslutsky Evgeny Slutsky
              knarra@redhat.com Rama Kasturi Narra
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: