我遵循了这个 DigitalOcean 指南 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes ,我遇到了一些很奇怪的事情。在主机名中我设置了一个通配符,然后 letsencrypt
未能颁发新证书。而当我只设置定义的子域时,它可以完美地工作。
这是我对域及其 api 的“工作”配置(并且这个配置完美):
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- api.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
相反,这是我试图颁发的通配符证书,但这无法留下“正在颁发”的消息。apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- *.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
唯一的区别是主机的第二行。有一个我不知道的微不足道的众所周知的解决方案吗?我是 Kubernetes 的新手,但不是 DevOps 的新手。
最佳答案
使用 cert-manager
生成通配符证书( letsencrypt
) 需要使用 DNS-01
挑战而不是 HTTP-01
used in the link from the question :
Does Let’s Encrypt issue wildcard certificates?
Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
有一个关于生成
wildcard
的文档带有 cert-manager
的证书:从DigialOcean的角度来看,有专门针对它的指南:
This provider uses a Kubernetes
Secret
resource to work. In the following example, theSecret
will have to be nameddigitalocean-dns
and have a sub-keyaccess-token
with the token in it. For example:apiVersion: v1 kind: Secret metadata: name: digitalocean-dns namespace: cert-manager data: # insert your DO access token here access-token: "base64 encoded access-token here"
The access token must have write access.
To create a Personal Access Token, see DigitalOcean documentation.
Handy direct link: https://cloud.digitalocean.com/account/api/tokens/new
To encode your access token into base64, you can use the following
echo -n 'your-access-token' | base64 -w 0
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: example-issuer spec: acme: ... solvers: - dns01: digitalocean: tokenSecretRef: name: digitalocean-dns key: access-token
-- Cert-manager.io: Docs: Configuration: ACME: DNS-01: Digitalocean
我认为这些额外的资源也可以提供帮助:
关于nginx - 使用 DigitalOcean 在 Kubernetes 集群上为我的 Nginx-Ingress 生成通配符证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66051624/