Contour: Support for adding a wildcard certificate in contour

Created on 24 Jul 2020  路  5Comments  路  Source: projectcontour/contour

Hi, I'm trying to deploy a wildcard certificate with contour (*.example.com). I've read some guides like these: https://projectcontour.io/docs/master/httpproxy/ and https://projectcontour.io/guides/cert-manager/

**I've done the following steps:

I've created a secret tls as follows:

kubectl create secret tls wildcard-certificate-secret --key path_private_key --cert path_public_key -n projectcontour

Later, i've edited the configmap for contour and enable the fallback-certificate:

SNI defined for a vhost.

  fallback-certificate:
   name: wildcard-certificate-secret
   namespace: projectcontour

I've created an TLSCertificateDelegation object:


apiVersion: projectcontour.io/v1
kind: TLSCertificateDelegation
metadata:
name: fallback-delegation-appstest
namespace: projectcontour
spec:
delegations:
- secretName: wildcard-certificate-secret
targetNamespaces:
- "*"

Plus, i've created the httpproxy object:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: fallback-tls-app
namespace: app_namespace
spec:
virtualhost:
fqdn: app.example.com
tls:
secretName: projectcontour/wildcard-certificate-secret
enableFallbackCertificate: true
routes:
- services:
- name: app-svc
port: 8080

At last, i've created an ingress object:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: app-ingress
namespace: app_namespace
annotations:
kubernetes.io/ingress.class: contour
ingress.kubernetes.io/force-ssl-redirect: "true"
kubernetes.io/tls-acme: "true"
labels:
app: myapp
spec:
rules:

  • host: app.example.com
    http:
    paths:

    • backend:

      serviceName: app-svc

      servicePort: 8080

      tls:

  • hosts:

    • app.example.com

      secretName: projectcontour/wildcard-certificate-secret

All the objects were created but, i can't connect via https. Is it expected that the httpproxy object return any status?

NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION app_namespace httpproxy.projectcontour.io/fallback-tls-app app.example.com projectcontour/wilcard-certificate-secret

Can you suggest any idea?

Thank in advance for your support.

  • Contour version:
  • Kubernetes version: v1.16.8+vmware.1
arehttpproxy

Most helpful comment

Hi,

I'm sorry for the late response. I was on holidays. I have updated to projectcontour v1.8 and it's working now:

vmware@ubuntugestion:~$ kubectl get httpproxy
NAME                 FQDN                           TLS SECRET                            STATUS   STATUS DESCRIPTION
httpproxy-tls-test   test.chie.junta-andalucia.es   projectcontour/secret-wildcard-chie   valid    valid HTTPProxy

@youngnick

All 5 comments

@jjimenezmont it sounds like you may be running into a couple of issues related to the fallback certificate feature: https://github.com/projectcontour/contour/pull/2723 (merged into master but not yet released) and https://github.com/projectcontour/contour/pull/2734 (not yet merged).

We'll have these fixes in the 1.7 release, which is scheduled to be out shortly.

@jjimenezmont, now that 1.7 is released, could you give this another try and see if your setup is working?

@jjimenezmont what do you get when you curl the url? Have you restarted Contour since applying the change to the configmap?

Hi,

I'm sorry for the late response. I was on holidays. I have updated to projectcontour v1.8 and it's working now:

vmware@ubuntugestion:~$ kubectl get httpproxy
NAME                 FQDN                           TLS SECRET                            STATUS   STATUS DESCRIPTION
httpproxy-tls-test   test.chie.junta-andalucia.es   projectcontour/secret-wildcard-chie   valid    valid HTTPProxy

@youngnick

@jjimenezmont glad things are working now. I'll close this issue out but feel free to reach out again as needed.

Was this page helpful?
0 / 5 - 0 ratings