Abe*_*dor 1 ssl kubernetes cert-manager amazon-eks
已经有一段时间了,我无法让它工作。基本上我在 AWS EKS 上有一个 K8s 集群,ExternalDNS 已设置并正常工作,现在我尝试使用 cert-manager 添加 TLS/SSL 证书。
这些是我的配置:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: my-email
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- selector:
dnsZones:
- "example.it"
- "*.example.it"
dns01:
route53:
region: eu-central-1
hostedZoneID: HOSTEDZONEID
accessKeyID: ACCESSKEYID
secretAccessKeySecretRef:
name: route53-secret
key: secretkey
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: ClusterIssuer
name: letsencrypt-cluster-issuer
commonName: "*.example.it"
dnsNames:
- "*.example.it"
外部DNS:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-dns
labels:
app.kubernetes.io/name: external-dns
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "pods", "nodes"]
verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
labels:
app.kubernetes.io/name: external-dns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: externaldns # change to desired namespace: externaldns, kube-addons
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
labels:
app.kubernetes.io/name: external-dns
spec:
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: external-dns
template:
metadata:
labels:
app.kubernetes.io/name: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: k8s.gcr.io/external-dns/external-dns:v0.11.0
args:
- --source=service
- --source=ingress
- --domain-filter=example.it # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
- --provider=aws
- --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
- --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
- --registry=txt
- --txt-owner-id=external-dns
env:
- name: AWS_DEFAULT_REGION
value: eu-central-1 # change to region where EKS is installed
Cert-manager部署在cert-manager命名空间中,而ExternalDNS则部署在其externaldns命名空间中。AWS ALB 位于kube-system.
最后,我的ingress部署在defaultns中:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: master
namespace: default
labels:
name: master
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
alb.ingress.kubernetes.io/group.name: "alta"
alb.ingress.kubernetes.io/group.order: "0"
alb.ingress.kubernetes.io/ssl-redirect: "443"
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
spec:
ingressClassName: alb
tls:
- hosts:
- "example.it"
secretName: "tls-secret"
rules:
- host: example.it
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: echoserver # random test service, returns some page w/some info
port:
number: 80
通过所有这些配置,我仍然在入口处收到“找不到主机的证书:example.it”。证书正在颁发,一切看起来都正常。你有好主意吗?我快要疯了。
发布此信息以防有人遇到同样的问题。
基本上AWS ALB不支持cert-manager,您必须转到AWS ACM,在那里为自己获取一个证书,然后通过certificate-arn入口上的注释添加它。然后一切都应该开始工作。感谢 reddit 的帮助。
| 归档时间: |
|
| 查看次数: |
3361 次 |
| 最近记录: |