Cert-manager: Cert-manager not working with the Kong Ingress Controller

Created on 15 Oct 2018  路  5Comments  路  Source: jetstack/cert-manager

Describe the bug:

The Kong Ingress Controller (https://github.com/Kong/kubernetes-ingress-controller) will not preserve the Host name by default unless you annotate the Ingress resource with a reference to a KongIngress object. When cert-manager creates an Ingress resource for the ACME solver it triggers this default behaviour, meaning that the ACME solver sees requests come in to its private IP address, which fails the challenge: 

2018/10/15 01:13:42 [10.32.3.80] Comparing actual host '10.32.3.80' against expected 'www.example.com'
2018/10/15 01:13:42 [www.example.com] Invalid host '10.32.3.80'

I don't expect to have this working out of the box, and arguably this is a bug in the Kong Ingress Controller, but it would be nice if the annotations on the ACME solver Ingress resource were configurable so that I could configure host preservation. A quicker fix might be to make this Host check configurable altogether, although I'm not sure if that would break anything else.

Steps to reproduce the bug:

  • Deploy the Kong Ingress Controller
  • Create a http01 issuer
  • Annotate the Ingress resource

/kind bug

areacme good first issue help wanted kinbug
Source
picture bspaans

Most helpful comment

I wrote a small helper as a workaround for this problem.
https://github.com/ollystephens/acme-kong-kube-helper
Hopefully it won't be needed long-term, but is an alternative to modifying the core ingress controller codebase in the meantime.

picture ollystephens on 19 Mar 2019
👍2

All 5 comments

Interesting - so probably are okay to just skip the Host check altogether in the acmesolver, as we don't actually do much with that (given we deploy an instance of acmesolver/a service/an ingress resource for each domain anyway).

I can't really think of many cases where this wouldn't work - ultimately, if the self check passes we should be good to go, regardless anything else.

Happy to see a PR that adjusts the acmesolver app to not fail on this 馃槃

munnerz picture munnerz on 25 Oct 2018

1097 proposes a solution to this 馃槃

munnerz picture munnerz on 21 Nov 2018

I've applied this acme-kong-kube-helper github.com/ollystephens/acme-kong-kube-helper in order to solve the http01 validation problem in staging environment, and all it's works.

When the http01 validation to be performed, is necessary to use the letsencrypt production environment to get the https encryption.

The problem is mainly that cert-manager have some problems to work with other ingress controllers to nginx (?). This helper is a temporal solution whereas cert-manager work in this feature to solve this https://github.com/jetstack/cert-manager/issues/1097 (?)

bgarcial picture bgarcial on 15 Mar 2019

I wrote a small helper as a workaround for this problem.
https://github.com/ollystephens/acme-kong-kube-helper
Hopefully it won't be needed long-term, but is an alternative to modifying the core ingress controller codebase in the meantime.

ollystephens picture ollystephens on 19 Mar 2019
👍2

For anyone looking at this issue, please note that this is outdated. This has been supported starting Kong's Ingress Controller v0.5. Here is the documentation:
https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/cert-manager.md

marcoam picture marcoam on 21 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timblakely picture timblakely  路  4Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments
r0bj picture r0bj  路  3Comments
munnerz picture munnerz  路  4Comments
Azylog picture Azylog  路  3Comments