-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Ingress-lb] fix certs #17
Conversation
jakolehm
commented
Dec 13, 2017
•
edited
edited
- use certificates resolver for SSL certs
- open 443 always (works better with LE tls-sni)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise fine, but the {% if lb_certs %}
conditionals don't seem to behave as expected here in the stack template - they are always true for an empty array. I don't actually know any way of setting the opto variable to nil
or false
.
type: env | ||
# {% endfor %} | ||
# {% endif %} | ||
# {% else %} | ||
certificates: [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a workaround for kontena/kontena#3108, but it doesn't seem to work if you just leave the lb_certs
multi-prompt empty... with an empty lb_certs
array, this ends up as:
services:
lb:
...
certificates:
The conditional would need to be something like {% if lb_certs.size > 0 %}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
@@ -29,9 +29,7 @@ services: | |||
image: kontena/lb:latest | |||
ports: | |||
- 80:80 | |||
# {% if lb_certs %} | |||
- 443:443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure the {% if lb_certs %}
conditional was true before if you just hit enter on the lb_certs
prompt... If I kontena stack install kontena/ingress-lb
without selecting any (vault) certs, then the service will have port 443 exposed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, imho it's better to open this port always so that LE tls-sni-01 can work properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I'm just saying that I think the port 443 was already open, even before this change :)
ingress-lb/kontena.yml
Outdated
uri: /__health | ||
protocol: tcp | ||
interval: 60 | ||
port: 1000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work fine
D, [2017-12-13T09:04:18.709262 #1] DEBUG -- Kontena::Workers::ContainerHealthCheckWorker: checking health for container: /ingress-lb.lb-1 using tcp ip and port: 10.81.128.21:1000
D, [2017-12-13T09:04:18.709711 #1] DEBUG -- Kontena::Workers::ContainerHealthCheckWorker: got status: true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although TBH the http healthchecks on the haproxy monitor-uri
might still be a better idea than just a TCP healthcheck on port 1000 - we might even want to make the stats thing on port 1000 optional? It's not that great if you're using network_mode: host
.
With kontena/kontena-loadbalancer#41 the HTTP healthchecks should no longer fail per kontena/kontena#3121 when installing this stack
@SpComb PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
AFAIK the new certificates should support all existing usecases per 1.4.2, so it should be fine just replace the old vault secrets
with the new certificates
.
If anyone has been renewing their old vault secret certs after the 1.4.0 migration to certificates, then they will need to re-renew them using the new kontena certificate request
instead.