Ok, so I have a simple deployment in AWS EKS that uses an ALB and Im having issues with the TLS. My setup is as follows:
If the CNAME it's not proxied (in Cloudflare), I get a "ERR_CERT_AUTHORITY_INVALID" error. But if it's proxied, then it works fine.
How could I fix this or, what am I missing?
This are the yamls I used:
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-stuff
namespace: api
labels:
app: stuff
spec:
replicas: 1
selector:
matchLabels:
app: stuff
template:
metadata:
labels:
app: stuff
spec:
containers:
- name: stuff
image: stuff.azurecr.io/stuff-master:12
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: stuff
namespace: api
labels:
app: stuff
spec:
type: NodePort
selector:
app: stuff
ports:
- name: http
port: 8080
targetPort: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: stuff
namespace: api
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTP": 8080}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:xxxxxxxxxxxxxxxxxxxx"
spec:
ingressClassName: alb
rules:
- host: stuff.domain.stf
http:
paths:
- path: /stuff
pathType: Prefix
backend:
service:
name: stuff
port:
number: 8080
These are the certificate import steps:
Ok, I found the issue now: I required to request a certificate instead of importing it (in AWS ACM).
To validate the certificate there are two options: email or DNS. I chose the later. Few minutes after being requested, the certificate will contain the DNS name and value that has to be set in our DNS provider as a CNAME entry (in my case I had to set that in Cloudflare DNS section).