Pet*_*ter 8 ssl kubernetes traefik cert-manager
我已经安装了 microk8s、traefik 和 cert-manager。当我尝试接收 LetsEncrypt 证书时,会创建一个用于回答挑战的新 Pod,但来自 LetEnCryt 服务器的请求不会到达此 Pod。相反,请求会转发到为网站提供服务的 Pod。
看起来将流量路由到 Web Pod 的入口路由的优先级高于将请求路由/.well-known/acme-challenge/...到正确 Pod 的入口。我缺少什么?
kubectl edit clusterissuer letsencrypt-prod:
kind: ClusterIssuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"cert-manager.io/v1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-prod"},"spec":{"acme":{"email":"office@mydomain.com","privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-v02.api.letsencrypt.org/directory","solvers":[{"http01":{"ingress":{"class":"traefik"}}}]}}}
creationTimestamp: "2022-07-11T14:32:15Z"
generation: 11
name: letsencrypt-prod
resourceVersion: "49979842"
uid: 40c4e26d-9c94-4cda-aa3a-357491bdb25a
spec:
acme:
email: office@mydomain.com
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress: {}
status:
acme:
lastRegisteredEmail: office@mydomain.com
uri: https://acme-v02.api.letsencrypt.org/acme/acct/627190636
conditions:
- lastTransitionTime: "2022-07-11T14:32:17Z"
message: The ACME account was registered with the ACME server
observedGeneration: 11
reason: ACMEAccountRegistered
status: "True"
type: Ready
kubectl edit ingressroute webspace1-tls:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"traefik.containo.us/v1alpha1","kind":"IngressRoute","metadata":{"annotations":{},"name":"w271a19-tls","namespace":"default"},"spec":{"entryPoints":["websecure"],"routes":[{"kind":"Rule","match":"Host(`test1.mydomain.com`)","middlewares":[{"name":"test-compress"}],"priority":10,"services":[{"name":"w271a19","port":80}]}],"tls":{"secretName":"test1.mydomain.com-tls"}}}
creationTimestamp: "2022-10-05T20:01:38Z"
generation: 7
name: w271a19-tls
namespace: default
resourceVersion: "45151920"
uid: 77e9b7ac-33e7-4810-9baf-579f00e2db6b
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`test1.mydomain.com`)
middlewares:
- name: test-compress
priority: 10
services:
- name: w271a19
port: 80
tls:
secretName: test1.mydomain.com-tls
kubectl edit ingress cm-acme-http-solver-rz9mm:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
creationTimestamp: "2023-03-22T13:00:18Z"
generateName: cm-acme-http-solver-
generation: 1
labels:
acme.cert-manager.io/http-domain: "2306410973"
acme.cert-manager.io/http-token: "1038683769"
acme.cert-manager.io/http01-solver: "true"
name: cm-acme-http-solver-rz9mm
namespace: default
ownerReferences:
- apiVersion: acme.cert-manager.io/v1
blockOwnerDeletion: true
controller: true
kind: Challenge
name: test1.mydomain.com-glnrn-2096762198-4162956557
uid: db8b5c78-8549-4f13-b43d-c6c7bba7468d
resourceVersion: "52806119"
uid: 6b27e02a-ee65-4809-b391-95c03f9ebb36
spec:
ingressClassName: traefik
rules:
- host: test1.mydomain.com
http:
paths:
- backend:
service:
name: cm-acme-http-solver-ll2zr
port:
number: 8089
path: /.well-known/acme-challenge/9qtVY8FjfMIWd_wBNhP3PEPJZo4lFTw8WfWLMucRqAQ
pathType: ImplementationSpecific
status:
loadBalancer: {}
get_cert.yaml:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test1.mydomain.com
namespace: default
spec:
secretName: test1.mydomain.com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: test1.mydomain.com
dnsNames:
- test1.mydomain.com
在网络 Pod 的网络服务器日志中,我看到 /.well-known... 的请求进来。
小智 2
这个注解不应该加到ingress吗?
cert-manager.io/cluster-issuer=letsencrypt-production
| 归档时间: |
|
| 查看次数: |
669 次 |
| 最近记录: |