我正在尝试按照以下指南在 Kubernetes 中部署入口路由:
- https://cert-manager.io/docs/tutorials/acme/ingress/
- https://learn.microsoft.com/en-us/azure/aks/ingress-static-ip
我已经部署了集群发行者:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <Myemail>
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
然后我已经部署了入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: airflow-ingress
namespace: airflow6
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencryp
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- <MYhost>
secretName: tls-secret1
rules:
- host: <MYhost>
http:
paths:
- path: /
backend:
serviceName: airflow-web
servicePort: 8080
然后,如果我尝试获取证书:
kubectl describe certificate tls-secret1 --namespace airflow6
Error from server (NotFound): certificates.cert-manager.io "tls-secret1" not found
我尝试部署自己的证书:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: tls-secret1
namespace: airflow6
spec:
secretName: tls-secret1
dnsNames:
- <MYhost>
issuerRef:
name: letsencrypt
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
然后运行相同的命令:
kubectl describe certificate tls-secret1 --namespace airflow6
Name: tls-secret1
Namespace: airflow6
Labels: <none>
Annotations: API Version: cert-manager.io/v1beta1
Kind: Certificate
Metadata:
Creation Timestamp: 2020-10-12T10:50:25Z
Generation: 1
Resource Version: 9408916
Self Link: /apis/cert-manager.io/v1beta1/namespaces/airflow6/certificates/quickstart-example-tls
UID: 5c4f06e2-bb61-4eed-8999-58540d4055ce
Spec:
Dns Names:
<Myhost>
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt
Secret Name: tls-secret1
Status:
Conditions:
Last Transition Time: 2020-10-12T10:50:25Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2020-10-12T10:50:25Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: False
Type: Ready
Next Private Key Secret Name: tls-secret1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m8s cert-manager Issuing certificate as Secret does not exist
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "quickstart-example-tls-hl7vk"
Normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-vqmbh"
Normal Generated <invalid> (x3 over 3m8s) cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-fgvn6"
Normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-5gg9l"
我不知道是否需要创建这样的 secret :
apiVersion: v1
kind: Secret
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
但我真的不知道我必须在 tls.crt
和 tls.key
中放入什么。
在我读过的所有指南中,我看到当自动部署入口路由时会创建一个证书,但对我来说不起作用,我出了什么问题?
最佳答案
不,您不应该自己创建 TLS key ,就像当您将 key 名称放入入口规则的 tls 部分时,然后在进行 DNS 验证时,该 key 将由颁发者本身为相应的 key 创建已在其中创建入口规则的命名空间。
要交叉检查已创建的配置或创建新配置,您可以引用this
那么您可以关注this stack overflow post ,它可能会对您有所帮助
关于kubernetes - Ingress 和证书管理器未创建证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64316847/