Comments (2)
charlesg99
commented on May 28, 2024
1
Thanks for the answer, all I know if that when it failed, the http01 acme challenge was accessible from outside the cluster but certmanager failed to resolve it. Same issue as this.
I have many domains that all use the same automated deployment (same ingress resource for all of them, the only change is the domain that's being changed by helm values) and never had this certificate issue before. After all the basic checks (dns and such), I ended up reading that it seems like a common issue with an external loadbalancer in front of the cluster's ingress.
cert-manager/cert-manager#3238 (comment)
kubernetes/kubernetes#66607 (comment)
digitalocean/Kubernetes-Starter-Kit-Developers#205 (comment)
As I said, I don't mind adding the annotation with one of the domains that resolves to the loadbalancer, but I just want to make sure that if I set "mydomain.com", it won't prevent the certificate renewal of "myotherdomain.com" down the line.
Since I added the annotation with domain "X" yesterday, I installed a different domain "Y" and its certificate generated correctly so it doesn't seem to affect it 🤞. Would be nice to have a confirmation though and I would have liked to get it from reading the documentation :)
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 28, 2024
Hey @charlesg99 👋
Technically speaking, the annotation really only serves a single need, which is to return a hostname from the LB status (the related code is fairly straight forward) that will later be injected into the LoadBalancer-typed Service object. This, in turn, causes Kubernetes to not do hair-pinning and instead route via the external LB IP address.
I don't immediately see how the annotation / the related Kubernetes limitation could be related to your cert-manager problem: unless your setup is somehow specific / unusual, cert-manager should just talk to the API server and possibly public endpoints (e.g., to get certificates renewed). Neither should require routing through pods via a managed LB. I'm wondering if you adding the annotation had some kind of side effect that addressed your specific issue, but wasn't directly tied to the technical functionality in CCM described above.
If you still have data from when cert-manager failed for you (e.g., logs, error messages, events) that could be helpful in doing root cause analysis. Otherwise, you could try to force a certificate renewal on a test setup and troubleshoot based on that.
from digitalocean-cloud-controller-manager.
Related Issues (20)
- do-loadbalancer-protocol: 'http2' results in 'http2' --> 'http' HOT 4
- Extending Loadbalancer timeout duration HOT 1
- Misconfigured cloud-controller-manager.yml (HA deployment that uses daemonset) HOT 1
- Change release pipeline to promote dev manifests
- Protect load balancer from being deleted HOT 7
- udp loadbalancer failing to create HOT 8
- Controller manual mode HOT 17
- Allow the region to be explicitly specified instead of using the Region metadata API HOT 5
- K8 annotations for load balancer name / id do not work as expected HOT 4
- Typos in README.md
- IPv6 address missing in nodes status HOT 9
- Prevent duplicate do-loadbalancer-name annotation from changing LB ownership
- do-loadbalancer should accept a certificate name as an alternative to the certificate ID
- Wrong validation regex for service.beta.kubernetes.io/do-loadbalancer-allow-rules HOT 2
- Feature Request: Create a Helm chart for DO CCM HOT 1
- Cloud Controller Manager doesn't add droplets to Load Balancer HOT 6
- `k8s.gcr.io` is no longer used HOT 2
- CI: Bypass branch protection on release workflow execution
- do-loadbalancer-allow-rules doesn't work (firewall is not configured) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from digitalocean-cloud-controller-manager.