Azure-docs: Cert-Manager, ACME HTTP Solver and Windows Nodes
I've spent a fair amount of time trying to get cert-manager working on a cluster with mixed node pools - Windows and Linux, and I've finally gotten to a state where most of the cert-manager pods are created using a node selector to correct the linux node pool.
However, the ACME HTTP Solver always tries to create the pod on a Windows node (I've tried deleting it several times in the hope that it will re-create on a Linux node), but it always seems to pick a Windows node. I can't seem to correctly configure it to select a Linux one.
Can the documentation be updated to correctly reflect all of the steps required to make cert-manage work against a mixed node pool cluster?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: ada58160-dc50-b977-d3bc-65f92406e16d
- Version Independent ID: 5c596e04-fddb-effe-3b72-575f4df42d4e
- Content: Create an HTTPS ingress with Azure Kubernetes Service (AKS) cluster
- Content Source: articles/aks/ingress-tls.md
- Service: container-service
- GitHub Login: @mlearned
- Microsoft Alias: mlearned
kieronlanning
All 9 comments
@kieronlanning
Thanks for the feedback! We are currently investigating and will update you shortly.
jakaruna-MSFT
on 29 Aug 2019
@kieronlanning certmanager helm chart takes nodeselctor as an input.
https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml#L89
I hope if we give --set nodeSelector."beta\.kubernetes\.io/os"=linux, All cert manager components will go to Linux nodes. I will try this tomorrow and update you
jakaruna-MSFT
on 29 Aug 2019
@jakaruna-MSFT Hi! I've done all that, and it's fine for the main components - but when it launches the HTTP Solver pod, it launches it on the first available node - which in my case was (repeatedly) a Windows node.
I ended up tainting all the Windows nodes so it could successfully launch.
kieronlanning
on 30 Aug 2019
@kieronlanning Thanks. Got it.
jakaruna-MSFT
on 30 Aug 2019
@mlearned please add your comments
jakaruna-MSFT
on 3 Sep 2019
Similar issue https://github.com/jetstack/cert-manager/issues/1770
jakaruna-MSFT
on 3 Sep 2019
@mlearned I am assigning this issue to you t investigate further and update the doc.
First update is to add node selector for the helm install command for cert manger
We still need to figure out how to add node selectors for the HTTP solver pod and update the doc
jakaruna-MSFT
on 4 Sep 2019
This should be possible using the new podTemplate field on your Issuer resource - some more info can be found here: http://docs.cert-manager.io/en/latest/tasks/issuers/setup-acme/http01/index.html#options 😀
munnerz
on 17 Sep 2019
Thank you @kieronlanning for the feedback.
I have updated the article to address your feedback and the changes should be available soon.
zr-msft
on 14 Aug 2020
Related issues
jamesgallagher-ie
·
3Comments
behnam89
·
3Comments
JeffLoo-ong
·
3Comments
AronT-TLV
·
3Comments
mrdfuse
·
3Comments