这就是我所拥有的以及我所做的......几乎遵循latest documentation以及我遇到的一些教程:
cert-manager命名空间: kubectl create namespace cert-manager
cert-manager : kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.0/cert-manager.yaml
kubectl get pods --namespace cert-manager
issuer.yaml : apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: 'my@email.com'
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
certificate.yaml : apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: examplewebsite-com-tls
spec:
secretName: examplewebsite-com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: examplewebsite.com
dnsNames:
- test.examplewebsite.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.examplewebsite.com
ingress.yaml反射(reflect)这一点:apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
name: ingress-service
namespace: default
spec:
tls:
- hosts:
- test.examplewebsite.com"
secretName: examplewebsite-com
rules:
- host: test.examplewebsite.com
http:
paths:
- path: /?(.*)
backend:
serviceName: client-cluster-ip-service
servicePort: 3000
- path: /api/?(.*)
backend:
serviceName: api-cluster-ip-service
servicePort: 5000
应用所有这些并遇到以下问题。
$ kubectl describe certificate examplewebsite-com-tls
Status:
Conditions:
Last Transition Time: 2020-01-28T23:52:45Z
Message: Waiting for CertificateRequest "examplewebsite-com-tls-2527238951" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Requested 117s cert-manager Created new CertificateRequest resource "examplewebsite-com-tls-2527238951"
它只是无限期地坐在那里。
$ kubectl describe secret examplewebsite-com`
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1675 bytes
DNS 设置正确,因为我可以导航到网站并查看应用程序
HTTPS://只是行不通。我在这里做错了什么?
最佳答案
certification.yaml根本没有必要。
真的,只有在遵循安装说明后才需要这个:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <email>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: ingress
namespace: default
spec:
tls:
- hosts:
- test.domain.com
secretName: test-domain-com
rules:
- host: test.domain.com
http:
paths:
- path: /?(.*)
backend:
serviceName: client-cluster-ip-service
servicePort: 3000
- path: /api/?(.*)
backend:
serviceName: api-cluster-ip-service
servicePort: 5000
写得很好,当前(截至 2020 年 1 月 30 日)教程在这里:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
关于ssl - 无法在 cert-manager 中获取 TLS 证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59958837/