Search code examples
dockersslkubernetesssl-certificateambassador

how can I solve Secret tls-cert.default unknown issue?

Hi I am using ambassador for ny project. I have 2 services and 2 host files. When I apply "kubectl apply -f host1.yml" and "kubectl apply -f host2.yml" I got below error: How can I produce the correct TLS cert by using Ambassador edge stack 1.13 ? What is wrong here?

kubectl get hosts -A

enter image description here

Error: echo-host: continuing with invalid TLS secret tls2-cert

Details:

2021-08-07 14:26:19 diagd 1.13.10-dev.24+g61366062d [P32TAEW] ERROR: Secret tls2-cert.default unknown
2021-08-07 14:26:19 diagd 1.13.10-dev.24+g61366062d [P32TAEW] ERROR: Host echo-host: continuing with invalid TLS secret tls2-cert
2021-08-07 14:26:19 diagd 1.13.10-dev.24+g61366062d [P32TAEW] ERROR: Secret tls-cert.default unknown
2021-08-07 14:26:19 diagd 1.13.10-dev.24+g61366062d [P32TAEW] ERROR: Host quote-host: continuing with invalid TLS secret tls-cert
2021-08-07 14:26:19 diagd 1.13.10-dev.24+g61366062d [P32TAEW] INFO: configuration updated (complete) from snapshot snapshot (S9 L1 G12 C5)
time="2021-08-07 14:26:19" level=warning msg="license_secret_watch: empty decoded license data" func=github.com/datawire/apro/cmd/amb-sidecar.runE.func3 file="github.com/datawire/apro/cmd/amb-sidecar/main.go:258" CMD=amb-sidecar PID=16 THREAD=/license_secret_watch
time="2021-08-07T14:26:19Z" level=info msg="Loaded file /ambassador/envoy/envoy.json"
time="2021-08-07T14:26:19Z" level=info msg="Saved snapshot v126"
time="2021-08-07T14:26:19Z" level=info msg="Pushing snapshot v126"

My host files:

host1.yml:

---
apiVersion: getambassador.io/v2
kind: Host
metadata:
  name: quote-host
spec:
  hostname: quote.kafkacake.xyz
  acmeProvider:
    email: [email protected]
  tlsSecret:
    name: tls-cert
  requestPolicy:
    insecure:
       action: Redirect
       additionalPort: 8080

host2.yml:

---
apiVersion: getambassador.io/v2
kind: Host
metadata:
  name: echo-host
spec:
  hostname: echo.kafkacake.xyz
  acmeProvider:
    email: [email protected]
  tlsSecret:
    name: tls2-cert
  requestPolicy:
    insecure:
       action: Redirect
       additionalPort: 8080

How can I produce the correct TLS cert by using Ambassador edge stack 1.13 ?

Solution

  • You should try installing the Cert-manager with the ambassador. Edge stack supports the Let's encrypt in acmeProvider but only with one challenge HTTP-01.

    Your HTTP-01 cert-challenge is getting failed while cert-manager supports the DNS-01 method also and if you want to use the wild card cert you can also use it.

    https://www.getambassador.io/docs/edge-stack/latest/howtos/cert-manager/