When using a different class of ingress, certificate status is `FailedNotVisible`
blasterbug opened this issue · comments
Running on Kubernetes 1.14.8-gke.12
, with nginx-ingress-1.26.2
, managed certificates failed. DNS are resolved, DNSSEC is working. If I use the default gce-ingress, it actually works.
cert.yaml
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: www-certificate
spec:
domains:
- www.domain.se
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: www-ingress
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.global-static-ip-name: www-domain-com # is a regional address for nginx
networking.gke.io/managed-certificates: www-certificate
spec:
rules:
- host: www.domain.com
http:
paths:
- path: /
backend:
serviceName: www
servicePort: 8080
$ kubectl describe managedcertificates.networking.gke.io www-certificate
Name: www-certificate
Namespace: default
Labels: <none>
Annotations: <none>
API Version: networking.gke.io/v1beta1
Kind: ManagedCertificate
Metadata:
Creation Timestamp: 2019-12-09T10:25:46Z
Generation: 3
Resource Version: 2967605
Self Link: /apis/networking.gke.io/v1beta1/namespaces/default/managedcertificates/root-nesta-se-cert
UID: 434f78d9-1a6e-11ea-816a-42010aa6014e
Spec:
Domains:
www.domain.om
Status:
Certificate Name: mcrt-55d0485c-dc0c-4796-8ec7-1af1d5aba472
Certificate Status: Provisioning
Domain Status:
Domain: www.domain.com
Status: FailedNotVisible
Events: <none>
the problem here is that your cert and the ingress (because it's an nginx ingress) are in a different namespace. I'm not sure yet how to fix this.
For past few days I have been trying to resolve this issue. My config looks very similar. I found that supposedly dnssec should be enabled on domain as this can impact creation of managedCertificate. I enabled that and now I am getting FailedNotVisible after approx 20 minutes (before it was changing to that status almost instantly)
On my setup both - the ingress and the certificate are in the same namespace.
This looks like a standard setup so I am not sure what else can be wrong here.
I will give it another day. Perhaps something wrong with domain configuration still?
According to the prerequisite https://github.com/GoogleCloudPlatform/gke-managed-certs/blob/master/README.md#prerequisites, this is only supported by the Ingress GKE ingress controller: https://github.com/kubernetes/ingress-gce.
@adamgajzlerowicz I found that Dohbedoh is correct. If you want to use an nginx ingress, for instance to force https, then you cannot used Google Managed Certs. Try using cert manager
instead.
@rchurch4 Only yesterday I managed to get it working.
I configured cert manager by following this tutorial
link
To confirm @Dohbedoh links - I exchanged some emails with google cloud support and they also confirmed, quote:
"Nginx ingress controller type is not compatible with Google Managed certificates, Although, non-nginx-ingress controller is compatible."
For gcp managed certificates I first followed this doc. Feels like it really should mention it's ingress compatibility issue.
Thanks guys!
What worked for me on 1.15.x
(which was failing but worked on rapid channel 1.16.x
) is to enable compute-rw
scope on node pool and use https://dnssec-analyzer.verisignlabs.com to resolve DNSSEC issues with the domain. Deleted cert and ingress and retried and after about 10-15 minutes it all worked.
Hope that helps!