Fix tls certificate generation in k8s

The "Certificate" objects are no longer required. As a consequence, the "k8s-ingress-certificates" has become useless and should be removed from plugins.
2025-01-11 17:38:46 +00:00 · 2020-03-27 13:54:47 +01:00 · 2020-03-27 13:54:47 +01:00 · 091e45fe63
commit 091e45fe63
parent e4ca99b237
3 changed files with 18 additions and 17 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".

 ## Unreleased

+- [Improvement] Fix tls certificate generation in k8s
 - [Improvement] Upgrade k8s certificate issuer to cert-manager.io/v1alpha2
 - [Feature] Add SCORM XBlock to default openedx docker image

--- a/docs/k8s.rst
+++ b/docs/k8s.rst
@ -58,6 +58,19 @@ If you decide to enable HTTPS certificates, you will also have to set ``WEB_PROX

 Note that this configuration might conflict with a local installation.

+.. warning::
+    On DigitalOcean, there is currently a bug that prevents certificate issuers from successfully fetching TLS certificates from Let's Encrypt. A workaround consists in adding a custom annotation to the "ingress-nginx" service::
+        
+        kubectl -n ingress-nginx patch service ingress-nginx -p \
+            '{"metadata": {"annotations": {"service.beta.kubernetes.io/do-loadbalancer-hostname": "YOURLMSHOSTHERE"}}}'
+    
+    Sources:
+    
+    * https://www.digitalocean.com/community/questions/how-do-i-correct-a-connection-timed-out-error-during-http-01-challenge-propagation-with-cert-manager
+    * https://www.digitalocean.com/community/questions/pod-unable-to-curl-loadbalancer
+    * https://github.com/jetstack/cert-manager/issues/863#issuecomment-567062996
+    * https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/examples/README.md#accessing-pods-over-a-managed-load-balancer-from-inside-the-cluster
+
 S3-like object storage with `MinIO <https://www.minio.io/>`_
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/tutor/templates/k8s/ingress.yml
+++ b/tutor/templates/k8s/ingress.yml
@ -7,8 +7,8 @@ metadata:
    app.kubernetes.io/name: web
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 1000m
-    {% if ACTIVATE_HTTPS%}cert-manager.io/issuer: letsencrypt
-    cert-manager.io/acme-challenge-type: http01{% endif %}
+    {% if ACTIVATE_HTTPS%}kubernetes.io/tls-acme: "true"
+    cert-manager.io/issuer: letsencrypt{% endif %}
 spec:
  rules:
  {% for host in hosts %}
@ -42,21 +42,8 @@ spec:
    privateKeySecretRef:
      name: letsencrypt-privatekey
    solvers:
-      - http01:
+      - selector: {}
+        http01:
          ingress:
            class: nginx
---
-apiVersion: cert-manager.io/v1alpha2
-kind: Certificate
-metadata:
-  name: {{ LMS_HOST|replace(".", "-") }}
-spec:
-  secretName: {{ LMS_HOST }}-tls
-  issuerRef:
-    name: letsencrypt
-  commonName: {{ LMS_HOST }}
-  dnsNames:
-  - {{ LMS_HOST }}
-  - {{ CMS_HOST }}
-{{ patch("k8s-ingress-certificates") }}
 {% endif %}