Issues with tls

[willthewizard]

Hi There we keep running into different issues regards to tls and ca https control, may i know what's the version of the nignx-ingress, helm, k8s, and cert-manager that you had success with?

[mr-rooftop]

Yes this would be very interesting.
I'm currently trying out the versions that were current at the time that their talk came out (approx. November 2018).

[mr-rooftop]

Hi @willthewizard !
The configuration that worked me was the following:

Hyperledger Fabric 1.3.0
Kubernetes 1.15
Helm 2.11.0 and Helm 3.0.2
Cert-manager 0.12

Cert-manager was by far the biggest obstacle. First, you need to add the jetstack repo (cert-manager is developed by jetstack) helm repo add jetstack https://charts.jetstack.io and update it helm repo update and then apply the custom resources for your cert-manager version (we use 0.12) with kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml.
Then install cert-manager with helm install cert-manager --namespace cert-manager --version v0.12.0 jetstack/cert-manager. As the files certManagerCI_staging.yaml and certManagerCI_production.yaml in the extra/ folder are outdated for this version of cert-manager and letsencrypt, you got to update it similar to this:
staging

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

production

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

Make sure to change the email to your own (or a different one, it matters only for certificate renewals in the future and rate limits of letsencrypt).

As described in the README, by kubectl apply -f certManagerCI_staging.yaml and kubectl apply -f certManagerCI_production.yaml you create 2 ClusterIssuer resources. Check if they are ready with kubectl get clusterIssuer -A.

What I didn't know at first that you really need to have a domain name registered that points to the external IP of the LoadBalancer that was created by the nginx ingress controller. You can find this IP with kubectl get service -A, there should be an external IP listed. Point your domain to this IP, and don't proceed until the domain name actually resolves to your cluster (takes approx. 1 hour).

Then you have to update the ingress section in the ca.yaml in helm_values/ like that:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
  path: / 
  hosts:
    # TODO: Change this to your Domain Name
    - ca.yourdomain.com
  tls:
    - secretName: ca--tls
      hosts:
        # TODO: Change this to your Domain Name
        - ca.yourdomain.com

Note that the cert-manager.io/cluster-issuer: letsencrypt-prod line is different than in the tutorial, we use the current version for the cert-manager ressource description. Change the domain to your domain that points to your cluster. Once you installed it, https://ca.yourdomain.com/cainfo should give you back some nice json!