How to deploy a letsencryp with cert-manager and HAProxy-ingress
you can try installing cert manager provided by jetstack, can be found here and then you need to follow the steps mentioned in this stackoverflow post and this will get things sorted for you.
An internal acme-challenge will be done by cert manager and once you patch the secret name, mentioned in the certificate to the TLS of ingress then certificate status will get ready state, Note that the secret will get created automatically, you need not create it
Deploy Certmanager with:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml
Deploy a ClusterIssuer (cluster issuers are namespace agnostic)
cat > prod-issuer.yaml <<EOFapiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: email@example.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: haproxyEOF
Apply the cluster issuer with kubectl apply -f prod-issuer.yaml
- Create an Ingress Resource (namespace gnostic, this example is using Nginx backend service)
cat > nginx-ingress.yaml <<EOFapiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: nginx-router namespace: production annotations: kubernetes.io/ingress.class: "haproxy" cert-manager.io/cluster-issuer: "letsencrypt-prod"spec: tls: - hosts: - "example.com" secretName: nginx-tls-secret rules: - host: example.com http: paths: - pathType: ImplementationSpecific path: "/" backend: service: name: nginx port: number: 80 - host: www.example.com http: paths: - pathType: ImplementationSpecific path: "/" backend: service: name: nginx port: number: 80EOF
Apply the ingress recourse with kubectl apply -f nginx-ingress.yaml
The important piece of information here, is that the Haproxy controller does NOT need the annotation acme.cert-manager.io/http01-edit-in-place: "true"
that nginx-ingress controller does. It works as expected without any extra annotations.When you apply the Ingress Resourse to the cluster, the certificate will be issued in 1-2 minutes tops.Use kubectl describe certificate nginx-tls-secret -n production
to check the status of the certificate, and look at the event to get the certificate.
For more debugging info incase something went wrong, refer here https://cert-manager.io/docs/faq/acme/