New to Voyager? Please start here.

Issue Let’s Encrypt certificate using HTTP-01 challenge

Deploy Voyager operator

Deploy Voyager operator following instructions here.

# install without RBAC
curl -fsSL \
  | bash -s -- --provider=gke

If you are trying this on a RBAC enabled cluster, pass the flag --rbac to installer script.

# install with RBAC
curl -fsSL \
  | bash -s -- --provider=gke --rbac

Create Ingress

  1. We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:
kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80
  1. Now create Ingress ing.yaml
kubectl apply -f
  1. Wait for the LoadBlanacer ip to be assigned. Once the IP is assigned update your DNS provider to set the LoadBlancer IP as the A record for test domain
$ kubectl get svc  voyager-test-ingress
NAME                   CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
voyager-test-ingress   80:32266/TCP,443:31282/TCP   19m
  1. Now wait a bit for DNs to propagate. Run the following command to confirm DNS propagation.
$ dig +short
  1. Now open URL . This should show you the familiar nginx welcome page.

Create Certificate

  1. Create a secret to provide ACME user email. Change the email to a valid email address and run the following command:
kubectl create secret generic acme-account
  1. Create the Certificate CRD to issue TLS certificate from Let’s Encrypt using HTTP challenge.
kubectl apply -f
  1. Now wait a bit and you should see a new secret named tls-kitecicom. This contains the tls.crt and tls.key .
$ kubectl get secrets
NAME                  TYPE                                  DATA      AGE
acme-account          Opaque                                3         20m
default-token-zj0wv   3         30m
tls-kitecicom                     2         19m
$ kubectl describe cert kitecicom
Name:		kitecicom
Namespace:	default
Labels:		<none>
API Version:
Kind:		Certificate
  Cluster Name:
  Creation Timestamp:			2017-10-29T22:07:45Z
  Deletion Grace Period Seconds:	<nil>
  Deletion Timestamp:			<nil>
  Resource Version:			1376
  Self Link:				/apis/
  UID:					97d91028-bcf5-11e7-bc3f-42010a800fd5
  Acme User Secret Name:	acme-account
  Challenge Provider:
        API Version:
        Kind:		Ingress
        Name:		test-ingress
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  20m		20m		1	voyager operator			Normal		IssueSuccessful	Successfully issued certificate

If you look at the Ingress, you should see that /.well-known/acme-challenge/ path has been added to rules. It should look like this.

If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

Update Ingress to use TLS

  1. Now edit the Ingress to add spec.tls section.
$ kubectl edit test-ingress

  - hosts:
      kind: Secret
      name: tls-kitecicom

After editing, your Ingress should look similar to this.

  1. Now wait several seconds for HAProxy to reconfigure. If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

Now try the following commands:

$ curl -vv
* Rebuilt URL to:
*   Trying
* Connected to ( port 80 (#0)
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.47.0
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location:
* Connection #0 to host left intact
$ curl -vv
* Rebuilt URL to:
*   Trying
* Connected to ( port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject:
* 	 start date: Sun, 29 Oct 2017 21:07:37 GMT
* 	 expire date: Sat, 27 Jan 2018 21:07:37 GMT
* 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.47.0
> Accept: */*
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Sun, 29 Oct 2017 22:31:59 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Thu, 14 Sep 2017 16:35:09 GMT
< ETag: "59baafbd-264"
< Accept-Ranges: bytes
< Strict-Transport-Security: max-age=15768000
<!DOCTYPE html>
<title>Welcome to nginx!</title>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href=""></a>.<br/>
Commercial support is available at
<a href=""></a>.</p>

<p><em>Thank you for using nginx.</em></p>
* Connection #0 to host left intact

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.