christianlight/tutor
6
0
Fork 0
mirror of https://github.com/ChristianLight/tutor.git synced 2025-01-25 22:18:24 +00:00
Code Issues Releases Activity

Fix tls certificate generation in k8s

Browse Source 
The "Certificate" objects are no longer required. As a consequence, the
"k8s-ingress-certificates" has become useless and should be removed from
plugins.
This commit is contained in:
Régis Behmo 2020-03-27 13:54:47 +01:00
parent e4ca99b237
commit 091e45fe63
3 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".
## Unreleased ## Unreleased
- [Improvement] Fix tls certificate generation in k8s
- [Improvement] Upgrade k8s certificate issuer to cert-manager.io/v1alpha2 - [Improvement] Upgrade k8s certificate issuer to cert-manager.io/v1alpha2
- [Feature] Add SCORM XBlock to default openedx docker image - [Feature] Add SCORM XBlock to default openedx docker image

13
docs/k8s.rst
View File

@ -58,6 +58,19 @@ If you decide to enable HTTPS certificates, you will also have to set ``WEB_PROX
Note that this configuration might conflict with a local installation. Note that this configuration might conflict with a local installation.
.. warning::
On DigitalOcean, there is currently a bug that prevents certificate issuers from successfully fetching TLS certificates from Let's Encrypt. A workaround consists in adding a custom annotation to the "ingress-nginx" service::
kubectl -n ingress-nginx patch service ingress-nginx -p \
'{"metadata": {"annotations": {"service.beta.kubernetes.io/do-loadbalancer-hostname": "YOURLMSHOSTHERE"}}}'
Sources:
* https://www.digitalocean.com/community/questions/how-do-i-correct-a-connection-timed-out-error-during-http-01-challenge-propagation-with-cert-manager
* https://www.digitalocean.com/community/questions/pod-unable-to-curl-loadbalancer
* https://github.com/jetstack/cert-manager/issues/863#issuecomment-567062996
* https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/examples/README.md#accessing-pods-over-a-managed-load-balancer-from-inside-the-cluster
S3-like object storage with `MinIO <https://www.minio.io/>`_ S3-like object storage with `MinIO <https://www.minio.io/>`_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

21
tutor/templates/k8s/ingress.yml
View File

@ -7,8 +7,8 @@ metadata:
app.kubernetes.io/name: web app.kubernetes.io/name: web
annotations: annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 1000m nginx.ingress.kubernetes.io/proxy-body-size: 1000m
{% if ACTIVATE_HTTPS%}cert-manager.io/issuer: letsencrypt {% if ACTIVATE_HTTPS%}kubernetes.io/tls-acme: "true"
cert-manager.io/acme-challenge-type: http01{% endif %} cert-manager.io/issuer: letsencrypt{% endif %}
spec: spec:
rules: rules:
{% for host in hosts %} {% for host in hosts %}
@ -42,21 +42,8 @@ spec:
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-privatekey name: letsencrypt-privatekey
solvers: solvers:
- http01: - selector: {}
http01:
ingress: ingress:
class: nginx class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: {{ LMS_HOST|replace(".", "-") }}
spec:
secretName: {{ LMS_HOST }}-tls
issuerRef:
name: letsencrypt
commonName: {{ LMS_HOST }}
dnsNames:
- {{ LMS_HOST }}
- {{ CMS_HOST }}
{{ patch("k8s-ingress-certificates") }}
{% endif %} {% endif %}