Getting kubernetes-dashboard-certs using cert-manager and reflector

[SapiensAnatis]

Hi,

I'm trying to set up access to the dashboard via ingress. I'm following this guide to make the dashboard use my own certificates. I want to use a certificate from Let's Encrypt, so I created the following certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kubernetes-dashboard
  namespace: default
spec:
  secretName: kubernetes-dashboard-certs
  commonName: k8s.mydomain.com
  issuerRef:
    name: letsencrypt-staging
    kind: Issuer
    group: cert-manager.io
  dnsNames:
    - k8s.mydomain.com
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kubernetes-dashboard"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kubernetes-dashboard"

This creates a secret called kubernetes-dashboard-certs as the guide describes, and I'm using Reflector to sync it to the kubernetes-dashboard namespace, as my letsencrypt-staging issuer is in the default namespace, so I assumed I couldn't create the certificate outside of the default namespace.

This successfully gets a certificate and copies it to the kubernetes-dashboard namespace. However, when I try to apply the dashboard yaml I get the following error:

The Secret "kubernetes-dashboard-certs" is invalid: type: Invalid value: "Opaque": field is immutable

The secret created by cert-manager has the type set to type: kubernetes.io/tls, but it does have the tls.crt and tls.key properties in data.

Is there something I'm missing here or is it not possible to do it this way? Will I have to copy the secret data manually each time the certificate is renewed?

[SapiensAnatis]

I've solved this particular issue by removing the existing kubernetes-dashboard-certs secret from the recommended yaml file, and specifying ReadOnly in the mount options for the secret within the deployment.

However, I'm now having another issue where trying to navigate to the dashboard via the ingress I have set up is causing an internal server error, with the message

2023/01/02 06:49:14 http: TLS handshake error from 10.42.0.8:39768: remote error: tls: bad certificate

I tried changing the issuer on the certificate to use the production letsencrypt, but no luck.

Here are the relevant sections of the yaml I'm using to apply the dashboard:

# --- snip ---
       containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.7.0
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --namespace=kubernetes-dashboard
            - --tls-cert-file=/tls.crt
            - --tls-key-file=/tls.key
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              readOnly: true
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
# --- snip ---
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}

and here is my ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: "traefik"
spec:
  rules:
    - host: k8s.mydomain.com
      http:
        paths:
          - path: /
            pathType: Exact
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 443
  tls:
    - secretName: kubernetes-dashboard-certs
      hosts:
        - k8s.mydomain.com