Kubernetes nginx-ingress TLS问题
[英]Kubernetes nginx-ingress TLS issue
问题描述
My company has an existing CA certificate for fake.example.com and an A record that maps fake.example.com to the IP of our load balancer 
我的公司有一个现有的fake.example.com CA证书和一个将fake.example.com映射到我们的负载均衡器IP的A记录
The load balancer is forwarding traffic to our Kubernetes cluster. 负载均衡器将流量转发到我们的Kubernetes集群。
In the cluster, I've deployed the nginx-ingress helm chart, exposing NodePort for https at 30200 在集群中,我已经部署了nginx-ingress头盔图,在30200处为https公开了NodePort
I've created a k8s TLS secret named test-secret from the above certificate. 我从上面的证书中创建了一个名为test-secret的k8s TLS秘密。
I've deployed an app with service 'test' and have installed the following ingress: 我已经部署了一个服务'test'的应用程序,并安装了以下入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- fake.example.com
secretName: test-secret
rules:
- host: fake.example.com
http:
paths:
- path: /myapp
backend:
serviceName: test
servicePort: 8080
So, if i execute 所以,如果我执行
curl https://{ip for k8s node}:30200/myapp/ping -H 'Host:fake.example.com' -k --verbose
I get the expected response from my app, but I also see 我从我的应用程序得到了预期的响应,但我也看到了
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Jan 25 20:52:16 2018 GMT
* expire date: Jan 25 20:52:16 2019 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
I've confirmed in the nginx.conf file that for server_name fake.exampe.com the ssl_certificate , ssl_certificate_key , and ssl_trusted_certificate are pointing the the correct location 我已在nginx.conf文件中确认,对于server_name fake.exampe.com , ssl_certificate , ssl_certificate_key和ssl_trusted_certificate指向正确的位置
So my question is, is it possible to configure nginx to use the correct certificate in this scenario? 所以我的问题是,在这种情况下,是否可以配置nginx以使用正确的证书?
2 个解决方案
解决方案1
0 2018-07-14 03:26:22
You have to create a secret named test-secret . 您必须创建一个名为test-secret 。
➜ charts git:(master) kubectl describe secret --namespace operation mydomain.cn-cert
Name: mydomain.cn-cert
Namespace: operation
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
tls.crt: 3968 bytes
tls.key: 1678 bytes
解决方案2
0 2018-10-06 17:28:34
The ingress controller will default to Kubernetes Ingress Controller Fake Certificate when no certificate is available (which you say is in test-secret ), the certificate is invalid, or if the controller can't find a matching host in .spec.tls[] , or you hit the default-backend without a default TLS cert configured. 当没有证书可用时(您说它是test-secret ),证书无效,或者如果控制器在.spec.tls[]找不到匹配的主机,入口控制器将默认为Kubernetes Ingress Controller Fake Certificate ,或者在没有配置默认TLS证书的情况下点击默认后端。
Since you are able to reach your service, then I suspect that either: 既然您能够获得服务,那么我怀疑:
- Your
test-secretis invalid, maybe because you are missing an intermediate, or CA certificate您的test-secret无效,可能是因为您缺少中间证书或CA证书 - Your
test-secretis in the wrong namespace您的test-secret位于错误的命名空间中 - The tls secret is not being matched, (maybe because of using
https://{ip for k8s node}:30200/myapp/ping -H 'Host:fake.example.com'or the-kflag?)tls秘密没有匹配,(可能是因为使用https://{ip for k8s node}:30200/myapp/ping -H 'Host:fake.example.com'或-k标志?)
It's unusual to expose your ingress controller as NodePort when you have a load balancer in front of it. 当您在其前面有负载平衡器时,将入口控制器暴露为NodePort是不常见的。 If this is a cloud deployment, then you would use type LoadBalancer . 如果这是云部署,那么您将使用类型LoadBalancer 。 If this is on premise, you might look at MetalLB 如果这是内部部署,您可以查看MetalLB
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.