wire-server-deploy icon indicating copy to clipboard operation
wire-server-deploy copied to clipboard
verified publisher icon wireapp

Question: Unknown object type "nil" in Certificate.spec.dnsNames[0], when the values are present in template

Open sergeByishimo opened this issue 3 years ago • 0 comments

Basic information

  • On-premises: yes
  • Cloud-Provider: none
  • Installation type: demo
  • Kubernetes version: 1.19.7
  • Helm version: v3.8.0
  • Installed with Kubespray: no
  • (Helm) Charts version: version: 4.2.0
  • List of installed top-level charts: databases-ephemeral-4.2.0, fake-aws-4.2.0, nginx-ingress-controller-4.2.0, demo-smtp-4.2.0, wire-server-4.2.0
  • Other related technologies + version: Ansible 2.9.27, Helm

How did you install Wire?

Ubuntu 18.04 Cert-manager : 0.16.1 (which uses API version cert-manager.io/v1alpha2)

I followed instructions from :

  • https://docs.wire.com/how-to/install/dependencies.html
  • https://docs.wire.com/how-to/install/helm.html
  • https://cert-manager.io/v0.16-docs/installation/kubernetes/#installing-with-helm

Question

Issuing SSL using Let's Encrypt and cert-manager

I'm running :

helm upgrade --install nginx-ingress-services wire/nginx-ingress-services -f values.yaml --wait

and I'm getting this error :

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(Certificate.spec.dnsNames): unknown object type "nil" in Certificate.spec.dnsNames[0]

My values.yaml from wire-server-deploy/nginx-ingress-services

teamSettings:
  enabled: false
accountPages:
  enabled: false
tls:
  enabled: true
  # NOTE: enable to automate certificate issuing with jetstack/cert-manager instead of
  #       providing your own certs in secrets.yaml. Cert-manager is not installed automatically,
  #       it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md)
  useCertManager: true

certManager:
  # NOTE: change to tell cert-manager to issue a valid certificate
  inTestMode: false
  # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration
  #                notice and other Letsencrypt related notification
  certmasterEmail: [email protected]

# NOTE: These values must be adjusted on a per installation basis
config:
  dns:
    https: nginz-https.mydomain.com
    ssl: nginz-ssl.wire.mydomain.com
    webapp: webapp.wire.mydomain.com
    fakeS3: assets.wire.mydomain.com
    teamSettings: teams.wire.mydomain.com
    accountPages: account.wire.mydomain.com

When I render the chart template using : helm template nginx-ingress-services wire/nginx-ingress-services -f values.yaml > out.yaml

I can see the DNS values are being set


# Source: nginx-ingress-services/templates/certificate.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: "wire-mydomain-com-csr"
  namespace: default
  labels:
    chart: "nginx-ingress-services-4.2.0"
    release: "nginx-ingress-services"
    heritage: "Helm"
spec:
  issuerRef:
    name: letsencrypt-http01
    kind: Issuer
  usages:
    - server auth
  duration: 2160h     # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt
  renewBefore: 360h   # 15d
  isCA: false
  keyAlgorithm: ecdsa
  keySize: 384        # 521 is not supported by Letsencrypt
  keyEncoding: pkcs1
  secretName: "nginx-ingress-services-nginx-ingress-services-managed-tls-certificate"
  # NOTE: disabled due to https://github.com/jetstack/cert-manager/issues/2978
  # TODO: enable when fixed (probably when cert-manager:v0.16 released)
  #privateKey:
  #  rotationPolicy: Always
  dnsNames:
    - nginz-https.wire.mydomain.com
    - nginz-ssl.wire.mydomain.com
    - webapp.wire.mydomain.com
    - assets.wire.mydomain.com

Any thoughts or comments would be appreciated!

Best regards,

sergeByishimo avatar Feb 24 '22 13:02 sergeByishimo