Trouble getting cert-manager on hosted Kubernetes with Drone helm chart.
I am trying to get Drone CI/CD (v0.8.6) running in hosted Kubernetes (1.12) with SSL provisioned by Let's Encrypt cert-manager.
The standard unencrypted install works fine, I specify a service of LoadBalancer and then DO notices that and creates a LoadBalancer that forwards to the ingress. It works fine with HTTP.
But when I introduce cert-manager, there are 2 problems:
- while it seems to mostly work, the http01 challenge is not mapped correctly. I see that there are routes created in the ingress for the challenge but they don't get routed by the LoadBalancer and consequently no certificates are issued.
- The load balancer doesn't get updated to forward 443 through to the ingress for termination -- I"m guessing this is just a limitation of the automaticly deployed LB in DO.
I'm guessing that the helm chart needs to have some additional annotations passed through to the ingress (or manually applied) to make everything sync up in the DO environment -- but I am new to cert-manager and don't have a working environment to use as a reference.
So with all that, here are my questions:
- Does anyone have cert-manager working with a Load Balancer and ingress in hosted Kubernetes? It doesn't look to me like this is currently working with the standard install of cert-manager via helm.
- would it be better to use dns01 challenges? it seemed like that was going to be harder to implement in DO but since the kubernetes networking is out of the loop it might be easier.
- Has anyone gotten Drone running in hosted kubernetes on DO with cert-manager?
Advice appreciated, thank you!
BTW, currently I took the lazy way and am using non-SSL deployment with a manually applied SSL termination in the Load Balancer and that is working OK, although with that approach I cannot allocate a certificate in a sub-domain and had to create a whole new TLD, but that is a topic for another thread.