GCE ingress, lets encrypt AND external-dns

blauwaldt · 09-01-2022 08:50 AM

Hi!

Currently I'm doing my first steps with GKE (1.22).

1.) I tried external-dns with static credentials as described in [link] . IT WORKS!

2.) I tried let's encrypt with GCE ingress using a static IP and manually created DNS entry as described in [link] . IT WORKS!

3.) Now I want to setup a GCE ingress and use let's encrypt and external-dns together, but I can't get this to work! Is this possible?

I'm setting up external-dns as described in 1.), then I run:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml
kubectl apply -f lets-encrypt-test.yaml

with

# lets-encrypt-test.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: user@example.net
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          name: web-ingress
---
apiVersion: v1
kind: Secret
metadata:
  name: web-ssl
type: kubernetes.io/tls
stringData:
  tls.key: ""
  tls.crt: ""
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: gce
    kubernetes.io/ingress.allow-http: "true"
    cert-manager.io/issuer: letsencrypt-staging
spec:
  tls:
    - secretName: web-ssl
      hosts:
        - ssl.example.net
  rules:
    - host: ssl.example.net
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: nginx
                port:
                  number: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - image: nginx
          name: nginx
          ports:
            - containerPort: 80

The DNS entry is not created.

Here the output of 'kubectl describe ingress web-ingress':

Name:             web-ingress
Labels:           <none>
Namespace:        default
Address:
Ingress Class:    <none>
Default backend:  <default>
TLS:
  web-ssl terminates ssl.example.net
Rules:
  Host               Path  Backends
  ----               ----  --------
  ssl.example.net
                     /.well-known/acme-challenge/lAJhC3WdmYs7QooLF5oB0Zd73inEo0TW2D5VtXw__oo   cm-acme-http-solver-bjv5z:8089 (10.44.0.19:8089)
                     /                                                                         nginx:80 (10.44.0.18:80)
Annotations:         cert-manager.io/issuer: letsencrypt-staging
                     kubernetes.io/ingress.allow-http: true
                     kubernetes.io/ingress.class: gce
Events:
  Type     Reason             Age                 From                       Message
  ----     ------             ----                ----                       -------
  Normal   CreateCertificate  21m                 cert-manager-ingress-shim  Successfully created Certificate "web-ssl"
  Normal   Sync               19m                 loadbalancer-controller    UrlMap "k8s2-um-ibrx32hl-default-web-ingress-g00t36cc" created
  Normal   Sync               19m                 loadbalancer-controller    TargetProxy "k8s2-tp-ibrx32hl-default-web-ingress-g00t36cc" created
  Normal   Sync               19m                 loadbalancer-controller    ForwardingRule "k8s2-fr-ibrx32hl-default-web-ingress-g00t36cc" created
  Normal   Sync               18m                 loadbalancer-controller    UrlMap "k8s2-um-ibrx32hl-default-web-ingress-g00t36cc" updated
  Normal   Sync               27s (x6 over 21m)   loadbalancer-controller    Scheduled for sync
  Warning  Sync               22s (x20 over 19m)  loadbalancer-controller    Error syncing to GCP: error running load balancer syncing routine: loadbalancer ibrx32hl-default-web-ingress-g00t36cc does not exist: googleapi: Error 404: The resource 'projects/XYZ/global/sslCertificates/k8s2-cr-ibrx32hl-2xpo5lv0tobi1djh-e3b0c44298fc1c14' was not found, notFound

Using this ingress (without SSL), external-dns ist working:

# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx2-ingress
  annotations:
    kubernetes.io/ingress.class: gce
    kubernetes.io/ingress.allow-http: "true"
spec:
  rules:
    - host: nginx2.example.net
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: nginx2
                port:
                  number: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx2
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: nginx2
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx2
spec:
  selector:
    matchLabels:
      app: nginx2
  template:
    metadata:
      labels:
        app: nginx2
    spec:
      containers:
        - image: nginx
          name: nginx2
          ports:
            - containerPort: 80

Thank You for any idea!