Hi all
I spend all day trying to get Cert-Manager to issue a certificate for my Gateway in my new Scaleway cluster. The challenge gets a “connection refused” and my cm-acme-ingress is stuck without an address (is that supposed to happen)? Would be amazing if someone could help me. This is the Ingress:
istio-system cm-acme-http-solver-9hpzk istio test.grpc.nuntio.io 80 46m
Also, here is my setup:
Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Release.Name }}-istio-cert
namespace: istio-system
spec:
secretName: {{ .Release.Name }}-istio-cert
issuerRef:
name: {{ .Release.Name }}-istio-issuer
kind: ClusterIssuer
commonName: {{ .Values.certificate.commonName }}
dnsNames:
{{- range .Values.certificate.dnsNames }}
- {{ . }}
{{- end }}
Cluster issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: {{ .Release.Name }}-istio-issuer
spec:
acme:
# The ACME server URL
server: {{ .Values.istioIssuer.server }}
# Email address used for ACME registration
email: {{ .Values.istioIssuer.email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: {{ .Release.Name }}-istio-secret
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: istio
Gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: {{ .Release.Name }}-gateway
namespace: {{ .Release.Namespace | default "default" }}
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: {{ .Release.Name }}-istio-cert
serverCertificate: "use sds" # random string, because serverCertificate and privateKey are required for tls.mode=SIMPLE
privateKey: "use sds"
hosts:
{{- range .Values.certificate.dnsNames }}
- {{ . }}
{{- end }}
Virtual service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs
namespace: {{ .Release.Namespace | default "default" }}
spec:
hosts:
{{- range .Values.certificate.dnsNames }}
- "{{ . }}"
{{- end }}
gateways:
- {{ .Release.Name }}-gateway
http:
- match:
- uri:
prefix: /Nuntio.NuntioConnectPublicService/
- uri:
prefix: /grpc.reflection.v1alpha.ServerReflection/
route:
- destination:
host: {{ .Release.Name }}-connect-public
port:
number: {{ .Values.nuntioConnectService.authClusterIp.port }}
subset: v1
corsPolicy:
allowOrigin:
- "*"
allowMethods:
- POST
- GET
- OPTIONS
- PUT
- DELETE
allowHeaders:
- grpc-timeout
- content-type
- keep-alive
- user-agent
- cache-control
- content-type
- content-transfer-encoding
- custom-header-1
- x-accept-content-transfer-encoding
- x-accept-response-streaming
- x-grpc-web
- x-user-agent
maxAge: 1728s
exposeHeaders:
- custom-header-1
- grpc-status
- grpc-message
- match:
- uri:
prefix: /Nuntio.NuntioDashboardService/
route:
- destination:
host: {{ .Release.Name }}-dashboard
port:
number: {{ .Values.nuntioDashboardService.dashboardClusterIp.port }}
subset: v1
corsPolicy:
allowOrigin:
- "*"
allowMethods:
- POST
- GET
- OPTIONS
- PUT
- DELETE
allowHeaders:
- grpc-timeout
- content-type
- keep-alive
- user-agent
- cache-control
- content-type
- content-transfer-encoding
- custom-header-1
- x-accept-content-transfer-encoding
- x-accept-response-streaming
- x-grpc-web
- x-user-agent
maxAge: 1728s
exposeHeaders:
- custom-header-1
- grpc-status
- grpc-message
Thanks in advance. I really appreciate the help.