[Ingress-lb] fix certs #17
Conversation
jakolehm
commented
Dec 13, 2017
•
jakolehm
commented
- use certificates resolver for SSL certs
- open 443 always (works better with LE tls-sni)
| type: env | ||
| # {% endfor %} | ||
| # {% endif %} | ||
| # {% else %} | ||
| certificates: [] |
There was a problem hiding this comment.
This is a workaround for kontena/kontena#3108, but it doesn't seem to work if you just leave the lb_certs multi-prompt empty... with an empty lb_certs array, this ends up as:
services:
lb:
...
certificates: The conditional would need to be something like {% if lb_certs.size > 0 %}
| @@ -29,9 +29,7 @@ services: | |||
| image: kontena/lb:latest | |||
| ports: | |||
| - 80:80 | |||
| # {% if lb_certs %} | |||
| - 443:443 | |||
There was a problem hiding this comment.
I'm pretty sure the {% if lb_certs %} conditional was true before if you just hit enter on the lb_certs prompt... If I kontena stack install kontena/ingress-lb without selecting any (vault) certs, then the service will have port 443 exposed?
There was a problem hiding this comment.
Yes, imho it's better to open this port always so that LE tls-sni-01 can work properly.
There was a problem hiding this comment.
Yes. I'm just saying that I think the port 443 was already open, even before this change :)
ingress-lb/kontena.yml
Outdated
| uri: /__health | ||
| protocol: tcp | ||
| interval: 60 | ||
| port: 1000 |
There was a problem hiding this comment.
Seems to work fine
D, [2017-12-13T09:04:18.709262 #1] DEBUG -- Kontena::Workers::ContainerHealthCheckWorker: checking health for container: /ingress-lb.lb-1 using tcp ip and port: 10.81.128.21:1000
D, [2017-12-13T09:04:18.709711 #1] DEBUG -- Kontena::Workers::ContainerHealthCheckWorker: got status: true
There was a problem hiding this comment.
Although TBH the http healthchecks on the haproxy monitor-uri might still be a better idea than just a TCP healthcheck on port 1000 - we might even want to make the stats thing on port 1000 optional? It's not that great if you're using network_mode: host.
With kontena/kontena-loadbalancer#41 the HTTP healthchecks should no longer fail per kontena/kontena#3121 when installing this stack
|
@SpComb PTAL |
There was a problem hiding this comment.
LGTM
AFAIK the new certificates should support all existing usecases per 1.4.2, so it should be fine just replace the old vault secrets with the new certificates.
If anyone has been renewing their old vault secret certs after the 1.4.0 migration to certificates, then they will need to re-renew them using the new kontena certificate request instead.
