Comments (9)
fraank
commented on June 15, 2024
1
Oh, ok. Now it makes more sense.
Unfortunately hetzner don't let us download the .pk and .crt directly. I thought I can use parts of this, to download and update the cert via API-Request from Official API.
I cannot believe I'm the first one doing this, but cannot find any notes about that.
Edit: I'm not. #1
Edit 2: I think I'm searching for sth. like load-balancer.hetzner.cloud/http-certificates: "<id or name of your cert>" just for the ingress (Link).
from terraform-hcloud-kube-hetzner.
fraank
commented on June 15, 2024
1
Ok, I got an official statement from Hetzner that Cloud Control Manager cannot be used for Ingress-Services. They recommended me, to implement it by myself but cannot give any guarantee that it will finally work.
I think I will tryout Cloudflare. Thanks for your patience and input :-). I guess this ticket can be closed.
from terraform-hcloud-kube-hetzner.
mysticaltech
commented on June 15, 2024
1
Great! Thanks for clarifying, you won't regret it, Cloudflare rocks!
from terraform-hcloud-kube-hetzner.
mysticaltech
commented on June 15, 2024
Hey @fraank, I believe that working with certificates that are stored in Hetzner is out of context here. Basically, all you need to do is configure your ingress definition to use the certificate you want, that is stored or generated in Kubernetes itself.
You never ever have to touch the LB manually, it will just show up there automatically and all just works.
Please have a look at a previous issue #18 on the subject where you'll find a few examples. Good luck!
from terraform-hcloud-kube-hetzner.
fraank
commented on June 15, 2024
Yes, attaching the certificates within ingress could be a solution.
My first thought was, if it is possible to change protocols of LB from tcp:80 -> http:80 and tcp:443 -> https:443?
I can attach many certificates at the loadbalancer service interface when switching protocols to https.
A simple test switching incoming protocol from tcp to http turnes out, that it makes the service unhealthy. the same with https.
from terraform-hcloud-kube-hetzner.
mysticaltech
commented on June 15, 2024
Yes, but you have understand that the LB is created by the ingress controller with its required specs, so if you change it manually later on, it no longer has the required specs and becomes unhealthy.
So any changes you do to the LB must be through the ingress system! And since by default it's configured to use proxy protocol, you just need to configure the ingress definitions well and everything just works, including SSL.
In the other issue above mentioned, you'll find an example ingress definition. Just try it, you'll be surprised! :)
from terraform-hcloud-kube-hetzner.
fraank
commented on June 15, 2024
Thanks and sorry for bothering you, as it is not directly connected to the project or a bug. But i guess this could be a great default use case for others, just using hetzner resources.
As i understood, this is something how my ingress should work, while the loadbalancer is kept untouched:
I created the wildcard certificate mydomain-de within the web interface (/security/certificates). Like as you did in your linked example by hcloud certificate create --name cloudflare-tls --cert-file origin-ca.crt --key-file origin-ca.pk.
Then I created the ingress using this certificate mydomain-de:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
traefik.frontend.passHostHeader: "true"
spec:
defaultBackend:
service:
name: echo1
port:
number: 80
tls:
- secretName: mydomain-de
hosts:
- status.mydomain.de
- images.mydomain.de
rules:
- host: "status.mydomain.de"
http:
paths:
- pathType: ImplementationSpecific
backend:
service:
name: echo1
port:
number: 80
- host: "images.mydomain.de"
http:
paths:
- pathType: ImplementationSpecific
backend:
service:
name: imgproxy
port:
number: 80
As the response shows that the certificate is still invalid, I guess there is a link to the certificate store (with api-token to receive that) missing?!
from terraform-hcloud-kube-hetzner.
mysticaltech
commented on June 15, 2024
@fraank No bother at all. It's definitely a good discussion to have.
From what I see, it appears you are not creating your certificate as a Kubernetes secret? Yet you are calling it from your ingress definition as a secret in Kubernetes.
My apologies frank, I had pasted the wrong command in the other issue, now rectified. There is no hcloud create needed at all, the secret needs to be created in Kubernetes only, with the following command:
kubectl create secret tls mydomain-de --key origin-ca.pk --cert origin-ca.crt
Now it will work! 🤞
from terraform-hcloud-kube-hetzner.
mysticaltech
commented on June 15, 2024
If I were you, just forget Hetzner certificates, Cloudflare is great, or just LetsEncrypt!
from terraform-hcloud-kube-hetzner.
Related Issues (20)
- Missing "cluster-init" option in config.yaml in the only control plane node. HOT 4
- [Bug]: Invalid provider configuration with terraform plan | apply HOT 2
- [Bug]: terraform validate fails "Names in agent_nodepools must be unique." HOT 2
- [Bug]: Autoupgrade nodes seems to lead to not ready nodes that need manual reboots HOT 8
- Longhorn installation fails (CRDs not installed) HOT 1
- Allow configuring s3 `etcd-snapshot-retention` in config file HOT 2
- System-upgrade-controller fails to run HOT 5
- [Bug]: Can't restore a copy HOT 2
- [Feature Request]: Collect extra-manifests recursive HOT 2
- [Bug]: Local Rancher Cluster mixed roles validation fails HOT 1
- [Bug]: HOT 1
- [Bug]: Terraform does not stop HOT 13
- [Bug]: ImagePullBackoff of system-upgrade controller HOT 1
- Not able to upgrade Traefik HOT 1
- [Bug]: Sudden drop of public internet connectivity for some nodes of arm64 cluster HOT 10
- [Bug]: zram_size not passed on HOT 4
- [Bug]: Terraform Validate fails agent_nodepools HOT 1
- [Bug]: Waiting for load-balancer to get an IP... Hangs HOT 2
- Disable the default load balancer HOT 7
- [Bug]: nginx stuck deploying when not scheduling on control-plane
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-hcloud-kube-hetzner.