which will switch the exposecontroller config to use https & tls-acme, install kubelego and generate signed certificates for all ingress rules.
As a side note lets encrypt will soon be supporting wildcard certificates which will be very handy for us too.
rawlingsj
All 9 comments
Hi James, good idea. But you'd probably would want to use https://github.com/jetstack/cert-manager/ as kube-lego has been deprecated.
bjwschaap
on 14 Mar 2018
Yeah as it happens I've since manually installed cert-manager on our own jenkins x infra that builds jenkins x - it works great, will make a nice addon or part of the installer soon. Only issue is the http challenge didn't work for monocular as we redirect traffic to / and also the new wildcard cert support only works for dns challenges, so need to figure that out too.
Shouldn't be too hard though - I hope :)
rawlingsj
on 14 Mar 2018
+1. This would be amazing to have!
wbrefvem
on 6 Jul 2018
Do you have any guidance how to configure https with cert-manager on users staging services with JenkinsX ?
almerico
on 10 Jul 2018
It's almost there :)
rawlingsj
on 10 Jul 2018
TLS setting with cert-manager doesn't work properly.
With jx upgrade ingress --cluster, when asked
If your network is publicly available would you like to enable cluster wide TLS?
if I answered Y then I will lost both http and https access to Jenkin X.
I'm using EKS/AWS.
vochicong
on 6 Aug 2018
A minor deviation from the topic - but still related to cert-manager:
I've successfully executed jx upgrade ingress --cluster, which enabled TLS (initial Jenkins-X setup was HTTP). A consequence of this:
When running builds after the command above I started seeing errors in the Jenkins build log:
Failed to query the Pull Request last commit status for https://github.com/<gir repo>/environment-knightluminous-staging/pull/2 ref 86064b414d970276b09081c30c979195ee51e97a Could not find a status for repository <gir repo>/environment-knightluminous-staging with ref 86064b414d970276b09081c30c979195ee51e97a
For obvious reasons the initial GitHub repos for staging and production had webhooks created for http and that failed when jx upgrade ingress --cluster turned the ingress into https-only.
The quick fix could be to enhance the command output with a reminder to update the webhooks.
robertgartman
on 4 Sep 2018
Fixed.
rawlingsj
on 10 Oct 2018
I am still having the same issue as @vochicong. Same setup, Jenkins x installed on AWS/EKS. I should probably mention that I am using a Google domain but AWS DNS inside a hosted zone, Google knows to use the AWS name servers and no other sites on my domain are having certificate issues. Initial installation works fine but then running jx upgrade ingress --cluster causes jenkins to become completely unavailable. kubectl describe certificate prints blank. kubectl describe issuer prints what looks to be the correct settings and jx logs cert-manager -n cert-manager shows a bunch of errors of the form below, but with<item_name> replaced with directories:
E0114 00:18:51.003275 1 controller.go:<line_number>] ingress-shim controller: Re-queuing item "jx/<item_name>" due to error processing: issuer.certmanager.k8s.io "" not found
HarryCaveMan
on 14 Jan 2019
Related issues
abayer
路
4Comments
empath
路
3Comments
tdcox
路
3Comments
sourabhg
路
4Comments
CobraFlow
路
5Comments
Most helpful comment
TLS setting with cert-manager doesn't work properly.
With
jx upgrade ingress --cluster, when askedIf your network is publicly available would you like to enable cluster wide TLS?if I answered Y then I will lost both http and https access to Jenkin X.
I'm using EKS/AWS.