Nginx-Ingress 未从证书管理器获取证书

Question

我目前正在尝试在 nginx-ingress 后面的 K8S 中设置一个应用程序。证书应由 cert-manager 和 Let's Encrypt 生成（目前暂存）。

\n

该应用程序位于命名空间 prod 中，nginx-ingress-controller 位于命名空间 nginx 中，而 cert-manager 位于 cert-manager 命名空间中。

\n

我们为 Let's Encrypt 暂存设置了 ClusterIssuer 并成功生成了证书（我们可以在机密和证书资源中看到它）。然而，nginx-ingress-controller 仍然使用 Kubernetes Ingress Controller 假证书进行应答。

\n

以下是一些技术细节：

\n

入口

\n

\xe2\x9d\xaf kubectl describe ingress/forgerock\nName:             forgerock\nLabels:           <none>\nNamespace:        prod\nAddress:          someaws-id.elb.eu-central-1.amazonaws.com\nIngress Class:    <none>\nDefault backend:  <default>\nTLS:\n  sslcertciam terminates ciam.test.fancycorp.com\nRules:\n  Host                Path  Backends\n  ----                ----  --------\n  ciam.test.fancycorp.com\n                      /am/json/authenticate                                             am:80 (10.0.2.210:8081)\n                      ...\n                      /am/extlogin                                                      am:80 (10.0.2.210:8081)\nAnnotations:          cert-manager.io/cluster-issuer: letsencrypt-stage\n                      haproxy.router.openshift.io/cookie_name: route\n                      kubernetes.io/ingress.class: nginx\n                      nginx.ingress.kubernetes.io/affinity: cookie\n                      nginx.ingress.kubernetes.io/body-size: 64m\n                      nginx.ingress.kubernetes.io/enable-cors: false\n                      nginx.ingress.kubernetes.io/proxy-body-size: 64m\n                      nginx.ingress.kubernetes.io/proxy-buffer-size: 16k\n                      nginx.ingress.kubernetes.io/proxy-read-timeout: 600\n                      nginx.ingress.kubernetes.io/proxy-send-timeout: 600\n                      nginx.ingress.kubernetes.io/send-timeout: 600\n                      nginx.ingress.kubernetes.io/session-cookie-hash: sha1\n                      nginx.ingress.kubernetes.io/session-cookie-name: route\n                      nginx.ingress.kubernetes.io/ssl-redirect: true\nEvents:               <none>\n

\n

发行人：

\n

\xe2\x9d\xaf kubectl describe clusterissuer/letsencrypt-stage\nName:         letsencrypt-stage\nNamespace:\nLabels:       <none>\nAnnotations:  <none>\nAPI Version:  cert-manager.io/v1\nKind:         ClusterIssuer\nMetadata:\n  Creation Timestamp:  2022-09-12T07:26:05Z\n  Generation:          1\n  Managed Fields:\n    API Version:  cert-manager.io/v1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:metadata:\n        f:annotations:\n          .:\n          f:kubectl.kubernetes.io/last-applied-configuration:\n      f:spec:\n        .:\n        f:acme:\n          .:\n          f:email:\n          f:privateKeySecretRef:\n            .:\n            f:name:\n          f:server:\n          f:solvers:\n    Manager:      kubectl-client-side-apply\n    Operation:    Update\n    Time:         2022-09-12T07:26:05Z\n    API Version:  cert-manager.io/v1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:status:\n        .:\n        f:acme:\n          .:\n          f:lastRegisteredEmail:\n          f:uri:\n        f:conditions:\n    Manager:         controller\n    Operation:       Update\n    Subresource:     status\n    Time:            2022-09-12T07:26:06Z\n  Resource Version:  17749318\n  UID:               fcbcbfff-b875-4ac4-805b-65ab0b4e1a93\nSpec:\n  Acme:\n    Email:            admin@fancycorp.com\n    Preferred Chain:\n    Private Key Secret Ref:\n      Name:  letsencrypt-stage\n    Server:  https://acme-staging-v02.api.letsencrypt.org/directory\n    Solvers:\n      http01:\n        Ingress:\n          Class:  nginx\nStatus:\n  Acme:\n    Last Registered Email:  admin@fancycorp.com\n    Uri:                    https://acme-staging-v02.api.letsencrypt.org/acme/acct/68184363\n  Conditions:\n    Last Transition Time:  2022-09-12T07:26:06Z\n    Message:               The ACME account was registered with the ACME server\n    Observed Generation:   1\n    Reason:                ACMEAccountRegistered\n    Status:                True\n    Type:                  Ready\nEvents:                    <none>\n

\n

证书：

\n

\xe2\x9d\xaf kubectl describe cert/sslcertciam\nName:         sslcertciam\nNamespace:    prod\nLabels:       <none>\nAnnotations:  <none>\nAPI Version:  cert-manager.io/v1\nKind:         Certificate\nMetadata:\n  Creation Timestamp:  2022-09-12T07:40:04Z\n  Generation:          1\n  Managed Fields:\n    API Version:  cert-manager.io/v1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:metadata:\n        f:ownerReferences:\n          .:\n          k:{"uid":"2a0af8f2-8166-4a8e-bb50-fd0aa906f844"}:\n      f:spec:\n        .:\n        f:dnsNames:\n        f:issuerRef:\n          .:\n          f:group:\n          f:kind:\n          f:name:\n        f:secretName:\n        f:usages:\n    Manager:      controller\n    Operation:    Update\n    Time:         2022-09-12T07:40:04Z\n    API Version:  cert-manager.io/v1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:status:\n        .:\n        f:conditions:\n        f:notAfter:\n        f:notBefore:\n        f:renewalTime:\n        f:revision:\n    Manager:      controller\n    Operation:    Update\n    Subresource:  status\n    Time:         2022-09-12T07:40:07Z\n  Owner References:\n    API Version:           networking.k8s.io/v1\n    Block Owner Deletion:  true\n    Controller:            true\n    Kind:                  Ingress\n    Name:                  forgerock\n    UID:                   2a0af8f2-8166-4a8e-bb50-fd0aa906f844\n  Resource Version:        17753197\n  UID:                     2484d1fe-5b80-4cbc-b2f8-7f4276e15a37\nSpec:\n  Dns Names:\n    ciam.test.fancycorp.com\n  Issuer Ref:\n    Group:      cert-manager.io\n    Kind:       ClusterIssuer\n    Name:       letsencrypt-stage\n  Secret Name:  sslcertciam\n  Usages:\n    digital signature\n    key encipherment\nStatus:\n  Conditions:\n    Last Transition Time:  2022-09-12T07:40:07Z\n    Message:               Certificate is up to date and has not expired\n    Observed Generation:   1\n    Reason:                Ready\n    Status:                True\n    Type:                  Ready\n  Not After:               2022-12-11T06:40:05Z\n  Not Before:              2022-09-12T06:40:06Z\n  Renewal Time:            2022-11-11T06:40:05Z\n  Revision:                1\nEvents:                    <none>\n

\n

秘密：

\n

\xe2\x9d\xaf kubectl describe secret/sslcertciam\nName:         sslcertciam\nNamespace:    prod\nLabels:       <none>\nAnnotations:  cert-manager.io/alt-names: ciam.test.fancycorp.com\n              cert-manager.io/certificate-name: sslcertciam\n              cert-manager.io/common-name: ciam.test.fancycorp.com\n              cert-manager.io/ip-sans:\n              cert-manager.io/issuer-group: cert-manager.io\n              cert-manager.io/issuer-kind: ClusterIssuer\n              cert-manager.io/issuer-name: letsencrypt-stage\n              cert-manager.io/uri-sans:\n\nType:  kubernetes.io/tls\n\nData\n====\ntls.crt:  5741 bytes\ntls.key:  1675 bytes\n

\n

证书申请：

\n

\xe2\x9d\xaf kubectl describe certificaterequests/sslcertciam-p6qpg\nName:         sslcertciam-p6qpg\nNamespace:    prod\nLabels:       <none>\nAnnotations:  cert-manager.io/certificate-name: sslcertciam\n              cert-manager.io/certificate-revision: 1\n              cert-manager.io/private-key-secret-name: sslcertciam-ztc8q\nAPI Version:  cert-manager.io/v1\nKind:         CertificateRequest\nMetadata:\n  Creation Timestamp:  2022-09-12T07:40:05Z\n  Generate Name:       sslcertciam-\n  Generation:          1\n  Managed Fields:\n    API Version:  cert-manager.io/v1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:metadata:\n        f:annotations:\n          .:\n          f:cert-manager.io/certificate-name:\n          f:cert-manager.io/certificate-revision:\n          f:cert-manager.io/private-key-secret-name:\n        f:generateName:\n        f:ownerReferences:\n          .:\n          k:{"uid":"2484d1fe-5b80-4cbc-b2f8-7f4276e15a37"}:\n      f:spec:\n        .:\n        f:issuerRef:\n          .:\n          f:group:\n          f:kind:\n          f:name:\n        f:request:\n        f:usages:\n    Manager:      controller\n    Operation:    Update\n    Time:         2022-09-12T07:40:05Z\n    API Version:  cert-manager.io/v1\n    Fields Type:  FieldsV1\n    fieldsV1:\n      f:status:\n        .:\n        f:certificate:\n        f:conditions:\n    Manager:      controller\n    Operation:    Update\n    Subresource:  status\n    Time:         2022-09-12T07:40:06Z\n  Owner References:\n    API Version:           cert-manager.io/v1\n    Block Owner Deletion:  true\n    Controller:            true\n    Kind:                  Certificate\n    Name:                  sslcertciam\n    UID:                   2484d1fe-5b80-4cbc-b2f8-7f4276e15a37\n  Resource Version:        17753174\n  UID:                     2289de7b-f43f-4859-816b-b4a9794846ec\nSpec:\n  Extra:\n    authentication.kubernetes.io/pod-name:\n      cert-manager-75947cd847-7gndz\n    authentication.kubernetes.io/pod-uid:\n      91415540-9113-4456-86d2-a0e28478718a\n  Groups:\n    system:serviceaccounts\n    system:serviceaccounts:cert-manager\n    system:authenticated\n  Issuer Ref:\n    Group:  cert-manager.io\n    Kind:   ClusterIssuer\n    Name:   letsencrypt-stage\n  Request:  xxx\n  UID:      5be755b9-711c-49ac-a962-6b3a3f80d16e\n  Usages:\n    digital signature\n    key encipherment\n  Username:  system:serviceaccount:cert-manager:cert-manager\nStatus:\n  Certificate:  <base64-encoded-cert>\n  Conditions:\n    Last Transition Time:  2022-09-12T07:40:05Z\n    Message:               Certificate request has been approved by cert-manager.io\n    Reason:                cert-manager.io\n    Status:                True\n    Type:                  Approved\n    Last Transition Time:  2022-09-12T07:40:06Z\n    Message:               Certificate fetched from issuer successfully\n    Reason:                Issued\n    Status:                True\n    Type:                  Ready\nEvents:                    <none>\n

\n

卷曲：

\n

\xe2\x9d\xaf curl -v https://ciam.test.fancycorp.com/am/extlogin/ -k\n*   Trying xxx.xxx.xxx.xxx:443...\n* Connected to ciam.test.fancycorp.com (xxx.xxx.xxx.xxx) port 443 (#0)\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n*  CAfile: /etc/ssl/cert.pem\n*  CApath: none\n* (304) (OUT), TLS handshake, Client hello (1):\n* (304) (IN), TLS handshake, Server hello (2):\n* (304) (IN), TLS handshake, Unknown (8):\n* (304) (IN), TLS handshake, Certificate (11):\n* (304) (IN), TLS handshake, CERT verify (15):\n* (304) (IN), TLS handshake, Finished (20):\n* (304) (OUT), TLS handshake, Finished (20):\n* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384\n* ALPN, server accepted to use h2\n* Server certificate:\n*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate\n*  start date: Sep 12 07:43:15 2022 GMT\n*  expire date: Sep 12 07:43:15 2023 GMT\n*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate\n*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n* Using HTTP2, server supports multiplexing\n* Connection state changed (HTTP/2 confirmed)\n* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n* Using Stream ID: 1 (easy handle 0x126811e00)\n> GET /am/extlogin/ HTTP/2\n> Host: ciam.test.fancycorp.com\n> user-agent: curl/7.79.1\n> accept: */*\n...\n

\n

---

\n

更新1：

\n

运行时kubectl ingress-nginx certs --host ciam.test.fancycorp.com，我也收到返回的假证书。

\n

Answer 1

找到了问题和解决方案...

在另一个命名空间中定义了另一个入口，该入口确实定义了相同的主机名，但无法使用 TLS 证书链接到正确的机密。当我删除那个时，它立即起作用了。

经验教训：注意其他命名空间的影响！