jx: TLS seems to be broken on applications when using boot

Summary

Enable TLS when installing with boot via the cert-manager and external DNS
Create an application with either create spring or create quickstart and deploy it with Jenkins X
The certificate for the application public endpoint form staging environment seems to be invalid

The application ingress resource seems to still have the expose controller annotations:

apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      fabric8.io/generated-by: exposecontroller
      kubernetes.io/ingress.class: nginx
      kubernetes.io/tls-acme: "true"
    creationTimestamp: 2019-09-03T08:13:40Z
    generation: 1
    labels:
      provider: fabric8
    name: bdd-spring-1567497978
    namespace: jx-staging
    ownerReferences:
    - apiVersion: v1
      kind: Service
      name: bdd-spring-1567497978
      uid: ba295232-ce22-11e9-bb9b-42010a84003c
    resourceVersion: "8133"
    selfLink: /apis/extensions/v1beta1/namespaces/jx-staging/ingresses/bdd-spring-1567497978
    uid: bcc72597-ce22-11e9-bb9b-42010a84003c
  spec:
    rules:
    - host: bdd-spring-1567497978.jx-staging.boot.bdd.jenkins-x.rocks
      http:
        paths:
        - backend:
            serviceName: bdd-spring-1567497978
            servicePort: 80
    tls:
    - hosts:
      - bdd-spring-1567497978.jx-staging.boot.bdd.jenkins-x.rocks
      secretName: tls-bdd-spring-1567497978
  status:
    loadBalancer:
      ingress:
      - ip: 
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

No cert-manger issuer seems to be installed in the stating namespace. The cert-manger fails with the following error when trying to acquire the certificate for newly deployed application:

I0903 08:13:40.282576       1 base_controller.go:193] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="jx-staging/bdd-spring-1567497978"
I0903 08:14:04.218156       1 base_controller.go:187] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="jx-staging/bdd-spring-1567497978"
I0903 08:14:04.218406       1 sync.go:77] cert-manager/controller/ingress-shim "level"=0 "msg"="failed to determine issuer to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="bdd-spring-1567497978" "resource_namespace"="jx-staging"

Steps to reproduce the behavior

Expected behavior

A valid certificate should be acquired for an application deployed in the staging or production environments.

Actual behavior

Jx version

The output of jx version is:

COPY OUTPUT HERE

Jenkins type

[ x] Serverless Jenkins X Pipelines (Tekton + Prow)
Classic Jenkins

Kubernetes cluster

Operating system / Environment

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 9
Comments: 32 (15 by maintainers)

Commits related to this issue

fix: disable the optional charts installation Disable the installation of the cert-manager, external-dns and acme charts when they are disable in the jx-requirements.yml file. Signed-off-by: Cosmin ... — committed to jenkins-x/jenkins-x-boot-config by ccojocar 5 years ago

Most upvoted comments

Bumped priority.

deanesmith on Nov 4, 2019

@tdcox @rawlingsj same here on my application’s Ingress: Could not determine issuer for ingress due to bad annotations: failed to determine issuer name to be used for ingress resource

sdoxsee on Jan 21, 2020

Will that work for previews and devpods?

I’m currently using

DOMAIN="your_domain"

kubectl patch deployment -n kube-system jxing-nginx-ingress-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--default-ssl-certificate=jx/tls-$DOMAIN-p"}]'

which seems to work quite well and catch anything with a broken/missing cert. I wasn’t able to get it stable and working for previews and devpods when I was trying replicator a while back.

sstubbs on Jan 21, 2020

@srehmanproov You can check with @daveconde or @deanesmith on slack. I don’t think is done.

ccojocar on Mar 5, 2020