X T*_*X T 3 ssl-certificate kubernetes kubernetes-ingress azure-aks cert-manager
我正在尝试使用 Cert-Manager 在我的 AKS 群集中添加自签名证书。
我ClusterIssuer为 CA 证书创建了一个(用于签署证书),ClusterIssuer为我要使用的证书(自签名)创建了第二个。
我不确定certificate2Ingress 是否正确使用它,因为它看起来正在等待某个事件。
我是否遵循正确的方法来执行此操作?
这是第一个ClusterIssuer“clusterissuer.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
这是 CA 证书“certificate.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-certificate
spec:
secretName: hello-deployment-tls-ca-key-pair
dnsNames:
- "*.default.svc.cluster.local"
- "*.default.com"
isCA: true
issuerRef:
name: selfsigned
kind: ClusterIssuer
ClusterIssuer这是我要使用的证书的第二个“clusterissuer2.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: hello-deployment-tls
spec:
ca:
secretName: hello-deployment-tls-ca-key-pair
最后这是自签名证书“certificate2.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-certificate2
spec:
secretName: hello-deployment-tls-ca-key-pair2
dnsNames:
- "*.default.svc.cluster.local"
- "*.default.com"
isCA: false
issuerRef:
name: hello-deployment-tls
kind: ClusterIssuer
我在 Ingress 中使用此证书:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "hello-deployment-tls"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
name: sonar-ingress
spec:
tls:
- secretName: "hello-deployment-tls-ca-key-pair2"
rules:
- http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: sonarqube
servicePort: 80
由于我没有任何注册域名,我只想使用公共IP通过https://<Public_IP>.
当我访问该服务时,https://<Public_IP>我可以看到“Kubernetes Ingress Controller Fake Certificate”,所以我猜这是因为浏览器无法全局识别该证书。
奇怪的事情就在这里。理论上,Ingress 部署正在使用,selfsigned-certificate2但看起来还没有准备好:
kubectl get certificate
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 4h29m
selfsigned-certificate2 False hello-deployment-tls-ca-key-pair2 3h3m
selfsigned-secret True selfsigned-secret 5h25m
kubectl describe certificate selfsigned-certificate2
.
.
.
Spec:
Dns Names:
*.default.svc.cluster.local
*.default.com
Issuer Ref:
Kind: ClusterIssuer
Name: hello-deployment-tls
Secret Name: hello-deployment-tls-ca-key-pair2
Status:
Conditions:
Last Transition Time: 2021-10-15T11:16:15Z
Message: Waiting for CertificateRequest "selfsigned-certificate2-3983093525" to complete
Reason: InProgress
Status: False
Type: Ready
Events: <none>
任何想法?
先感谢您。
首先,我注意到您正在使用v1alpha2apiVersion,它已被废弃,并将在1.6cert-manager 中删除:
$ kubectl apply -f cluster-alpha.yaml
Warning: cert-manager.io/v1alpha2 ClusterIssuer is deprecated in v1.4+, unavailable in v1.6+; use cert-manager.io/v1 ClusterIssuer
我apiVersion: cert-manager.io/v1在复制时使用过。
与 ingress 相同v1beta1,考虑将其更新为networking.k8s.io/v1.
我开始逐步复制您的设置。
我申请了clusterissuer.yaml:
$ kubectl apply -f clusterissuer.yaml
clusterissuer.cert-manager.io/selfsigned created
$ kubectl get clusterissuer
NAME READY AGE
selfsigned True 11s
注意READY设置为True。
接下来我申请了certificate.yaml:
$ kubectl apply -f cert.yaml
certificate.cert-manager.io/selfsigned-certificate created
$ kubectl get cert
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 7s
下一步是添加ClusterIssuer引用hello-deployment-tls-ca-key-pairSecret 的第二个:
$ kubectl apply -f clusterissuer2.yaml
clusterissuer.cert-manager.io/hello-deployment-tls created
$ kubectl get clusterissuer
NAME READY AGE
hello-deployment-tls False 6s
selfsigned True 3m50
ClusterIssuerhello-deployment-tls尚未准备好。原因如下:
$ kubectl describe clusterissuer hello-deployment-tls
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrGetKeyPair 10s (x5 over 75s) cert-manager Error getting keypair for CA issuer: secret "hello-deployment-tls-ca-key-pair" not found
Warning ErrInitIssuer 10s (x5 over 75s) cert-manager Error initializing issuer: secret "hello-deployment-tls-ca-key-pair" not found
这是预期的行为,因为:
当引用 ClusterIssuer 资源中的 Secret 资源(例如 apiKeySecretRef)时,Secret 需要与 cert-manager 控制器 pod 位于同一命名空间中。您可以选择通过使用控制器的 --cluster-resource-namespace 参数来覆盖它。
我编辑了部署,因此它将在命名空间中cert-manager查找(这并不理想,我会在命名空间中使用):secretsdefaultissuerdefault
$ kubectl edit deploy cert-manager -n cert-manager
spec:
containers:
- args:
- --v=2
- --cluster-resource-namespace=default
cert-manager启动大约需要一分钟。重新部署clusterissuer2.yaml:
$ kubectl delete -f clusterissuer2.yaml
clusterissuer.cert-manager.io "hello-deployment-tls" deleted
$ kubectl apply -f clusterissuer2.yaml
clusterissuer.cert-manager.io/hello-deployment-tls created
$ kubectl get clusterissuer
NAME READY AGE
hello-deployment-tls True 3s
selfsigned True 5m42s
两者都是READY。继续前进certificate2.yaml:
$ kubectl apply -f cert2.yaml
certificate.cert-manager.io/selfsigned-certificate2 created
$ kubectl get cert
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 33s
selfsigned-certificate2 True hello-deployment-tls-ca-key-pair2 6s
$ kubectl get certificaterequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
selfsigned-certificate-jj98f True True selfsigned system:serviceaccount:cert-manager:cert-manager 52s
selfsigned-certificate2-jwq5c True True hello-deployment-tls system:serviceaccount:cert-manager:cert-manager 25s
当host未添加到时ingress,它不会创建任何证书,并且似乎使用了由ingress颁发的一些假证书CN = Kubernetes Ingress Controller Fake Certificate。
活动来自ingress:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning BadConfig 5s cert-manager TLS entry 0 is invalid: secret "example-cert" for ingress TLS has no hosts specified
当我将 DNS 添加到时ingress:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 4s cert-manager Successfully created Certificate "example-cert"
issuer如果您在规则中引用,则不需要创建证书ingress。当提供所有详细信息后,Ingress 将为您颁发证书,例如:
cert-manager.io/cluster-issuer: "hello-deployment-tls"spec.tls与主机部分spec.rules.host或者
如果您想手动创建证书并要求 ingress 使用它,那么:
cert-manager.io/cluster-issuer: "hello-deployment-tls"ingress rule.您可以在浏览器中检查证书详细信息,发现它不再具有颁发者 as CN = Kubernetes Ingress Controller Fake Certificate,在我的情况下它是空的。
最初我使用了一些过时的版本cert-manager v1.4,并遇到了这个问题,更新到1.4.1.
看起来像:
$ kubectl describe certificaterequest selfsigned-certificate2-45k2c
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 41s cert-manager Certificate request has been approved by cert-manager.io
Warning DecodeError 41s cert-manager Failed to decode returned certificate: error decoding certificate PEM block
| 归档时间: |
|
| 查看次数: |
6770 次 |
| 最近记录: |