Hi @timvol Welcome to the community and thanks for trying ECK.
So I set up my ECK with letsencrypt and a DNS provider (I used GoDaddy example) so I am pretty sure we can get this to work. Yes seems weird how do I create a cert when I don't have the IP
The macro process that I follow is the following.
- Create cert using certbot the DNS TXT challenge method, this is based on FQDN not IP
- Install the certs into ECK and Deploy.
- Get the External IP of your Loadbalacer
- Go back to your DNS and create an A Record that now points the domain to the IP of the new Load Balancer and it should work. This is the general method I use to create certs when I don't know the IP yet.
- Access your ECK Kibana / Elasticsearch via FQDN
First create fullchain.pem and privkey.pem using certbot using the TXT challenge method. This method creates a cert based on the Domain Name and the TXT challenge method.
sudo certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d "mykibana.mydomain.net"
Create the TXT challenge record in your DNS.
Make sure that it has propagated I use MXTools for that.
Then finish up and you should have your fullchain.pem
and privkey.pem
You can install them into your ECK env with the following
kubectl create secret generic my-es-cert --from-file=tls.crt=fullchain.pem --from-file=tls.key=privkey.pem
BTW I did a post with using the ingress controller as well on GKE might be worth a peak.
Hope this helps