From 37cf701ce333ef22e23890897eac95517cb57aca Mon Sep 17 00:00:00 2001 From: Phan Le Date: Mon, 14 Aug 2023 14:23:34 -0700 Subject: [PATCH 1/3] Fix tlsIssuer names and the consumers of these tlsIssuers The consumers need to reference the correct name of the tlsIssuers. Cosummers are traefik ingress and the cluster-ip-cert Signed-off-by: Phan Le --- charts/s3gw/templates/certificate.yaml | 2 +- charts/s3gw/templates/ingress-traefik.yaml | 4 ++-- charts/s3gw/templates/tls-issuer.yaml | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/s3gw/templates/certificate.yaml b/charts/s3gw/templates/certificate.yaml index aa0f796..840277a 100644 --- a/charts/s3gw/templates/certificate.yaml +++ b/charts/s3gw/templates/certificate.yaml @@ -33,6 +33,6 @@ spec: - '*.{{ include "s3gw.serviceName" . }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' issuerRef: kind: ClusterIssuer - name: {{ .Release.Name }}-{{ .Release.Namespace }}-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-s3gw-issuer secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-ip-tls {{- end }} diff --git a/charts/s3gw/templates/ingress-traefik.yaml b/charts/s3gw/templates/ingress-traefik.yaml index fff133c..e0fd2b7 100644 --- a/charts/s3gw/templates/ingress-traefik.yaml +++ b/charts/s3gw/templates/ingress-traefik.yaml @@ -12,7 +12,7 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-{{ include "s3gw.CORSMiddlewareName" . }}@kubernetescrd' - cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} + cert-manager.io/cluster-issuer: {{ .Release.Name }}-{{ .Release.Namespace }}-{{ .Values.tlsIssuer }} spec: tls: - hosts: @@ -88,7 +88,7 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-{{ include "s3gw.CORSMiddlewareName" . }}@kubernetescrd' - cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} + cert-manager.io/cluster-issuer: {{ .Release.Name }}-{{ .Release.Namespace }}-{{ .Values.tlsIssuer }} spec: tls: - hosts: diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml index e9ae249..bda62c1 100644 --- a/charts/s3gw/templates/tls-issuer.yaml +++ b/charts/s3gw/templates/tls-issuer.yaml @@ -1,5 +1,4 @@ {{- if .Values.useCertManager }} -{{- if eq .Values.tlsIssuer "s3gw-issuer" }} --- # Self-signed issuer apiVersion: cert-manager.io/v1 @@ -15,19 +14,20 @@ spec: apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-s3gw-issuer labels: {{ include "s3gw.labels" . | indent 4}} spec: ca: secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-ca-root -{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} + +{{- if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} --- # Let's encrypt production issuer apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-letsencrypt-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-s3gw-letsencrypt-issuer labels: {{ include "s3gw.labels" . | indent 4}} spec: From db311c75b91dcb6fcb74a04b53bd1b27746575dc Mon Sep 17 00:00:00 2001 From: Phan Le Date: Mon, 14 Aug 2023 14:26:00 -0700 Subject: [PATCH 2/3] The ingress of AMCE server need to be contact through http port Signed-off-by: Phan Le --- charts/s3gw/templates/tls-issuer.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml index bda62c1..21f9db0 100644 --- a/charts/s3gw/templates/tls-issuer.yaml +++ b/charts/s3gw/templates/tls-issuer.yaml @@ -40,10 +40,6 @@ spec: solvers: - http01: ingress: - ingressTemplate: - metadata: - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" + ingressClassName: traefik {{- end }} {{- end }} From a6a8db4f9c674e9699dc5ddecb6d16fa1de3e965 Mon Sep 17 00:00:00 2001 From: Phan Le Date: Mon, 14 Aug 2023 14:27:55 -0700 Subject: [PATCH 3/3] Cannot use wildcard for http01 AMCE resolver Signed-off-by: Phan Le --- charts/s3gw/templates/ingress-traefik.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/s3gw/templates/ingress-traefik.yaml b/charts/s3gw/templates/ingress-traefik.yaml index e0fd2b7..5e81516 100644 --- a/charts/s3gw/templates/ingress-traefik.yaml +++ b/charts/s3gw/templates/ingress-traefik.yaml @@ -17,7 +17,7 @@ spec: tls: - hosts: - '{{ include "s3gw.serviceName" . }}.{{ .Values.publicDomain }}' - - '*.{{ include "s3gw.serviceName" . }}.{{ .Values.publicDomain }}' +# - '*.{{ include "s3gw.serviceName" . }}.{{ .Values.publicDomain }}' secretName: s3gw-ingress-tls rules: - host: '{{ include "s3gw.serviceName" . }}.{{ .Values.publicDomain }}'