Dan*_*son 5 lets-encrypt traefik cert-manager ingress-route
我有一个运行cert-manager1.11.0 和Traefik2.9.6 的 Kubernetes (v1.25.2) 集群。对于某些服务,我想Let's Encrypt自动签署证书。出于某种原因,使用IngressRoute而不是感觉更好Ingress。我只是无法让 IngressRoute 创建证书。
现在,我有一个ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: my@email.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
并且,工作,对应Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-name-websecure
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: traefik
rules:
- host: my.host.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: linkingservice
port:
number: 80
tls:
- hosts:
- my.host.com
secretName: some-secret-name-tls
这有效,很好。相反,IngressRoute基本资源是这样的:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myapp-other-name-websecure
spec:
entryPoints:
- websecure
routes:
- match: Host(`other.host.com`)
kind: Rule
services:
- name: linkingservice
port: 80
tls:
# certResolver: ??? # resolve what? Doesn't link with the ClusterIssuer
# issuerRef: ??? # doesn't exist (anymore)
现在,我尝试:
Ingress使用annotations:一样cert-manager.io/cluster-issuer: letsencrypt-prod。哪个被忽略了tls.certResolver,这不起作用,因为它不存在。我应该创建一个吗?我希望 TheClusterIssuer创建证书和密钥,就像它为Ingress.issuerRef中看到了 as 选项tls,但它似乎不存在。我想我读到它IngressRoute就像 k8s 默认之上的一层Ingress,所以它应该是逻辑/类似的东西
仅供参考:当您将 the 替换为 时,ClusterIssuerandIngress也适用于,同样适用于's 。(也许也没有,但我无法测试)Nginxsolvers.http01.ingress.classnginxIngressspec.ingressClassName
现在,我确实找到了一种方法,但仍然感觉需要做更多的工作。这里的事情是创建Certificate并将其链接到ClusterIssuer,然后该证书创建一个Secret. 这个秘密需要添加到 中spec.tls.secretName,例如:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my.host.com-cert
spec:
secretName: my.host.com-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- my.host.com
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
spec:
...
tls:
secretName: my.host.com-secret
我也尝试过,certResolver. 但从CertificateResolver开始cert-manager已停止v0.15.0;或者CertificateRequest,但这也已cert-manager停产0.9.0。建议的方式似乎是前面描述的方式。
我重新访问了Traefik部署values.yaml,发现certResolvers他们的文件中有一个带有 , 的字段:
certResolvers:
letsencrypt:
# for challenge options cf. https://doc.traefik.io/traefik/https/acme/
email: email@example.com
dnsChallenge:
# also add the provider's required configuration under env
# or expand then from secrets/configmaps with envfrom
# cf. https://doc.traefik.io/traefik/https/acme/#providers
provider: digitalocean
# add futher options for the dns challenge as needed
# cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
delayBeforeCheck: 30
resolvers:
- 1.1.1.1
- 8.8.8.8
tlsChallenge: true
httpChallenge:
entryPoint: "web"
# It has to match the path with a persistent volume
storage: /data/acme.json
这让我想知道。如果你设置了这个,那么可能是:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
spec:
tls:
certResolver: letsencrypt
能行得通
| 归档时间: |
|
| 查看次数: |
2808 次 |
| 最近记录: |