[英]Kubernetes/Ingress Nginx/Cert Manager certificates have namespaces?
I am trying to deploy the "cert-manager" ( https://github.com/jetstack/cert-manager ) project which is the successor to "kube-lego". 我正在尝试部署“ cert-manager”( https://github.com/jetstack/cert-manager )项目,该项目是“ kube-lego”的后继者。 I'm finding that the certificates don't match what is being created, and I'm wondering if anybody else has tried this before. 我发现证书与所创建的证书不匹配,并且我想知道是否还有其他人尝试过此操作。
I am creating a tls secretName with "monitoring-xxx-com", and in the ingress-nginx logs I find that it's trying to search for namespace/monitoring-xxx-com and not finding what it expects. 我正在使用“ monitoring-xxx-com”创建一个tls secretName,并且在ingress-nginx日志中发现它正在尝试搜索名称空间/ monitoring-xxx-com,但未找到期望的内容。
I am wondering whether this is because ingress-nginx is trying to use the pods namespace automatically and cert-manager is creating certs without a namespace, therefore that's why the cert can never be found. 我想知道这是否是因为ingress-nginx尝试自动使用pods命名空间,而cert-manager正在创建没有命名空间的证书,因此这就是为什么找不到证书的原因。
error obtaining PEM from secret kube-system/monitoring-xxx-com: error
retrieving secret kube-system/monitoring-xxx-com: secret kube-
system/monitoring-xxx-com was not found
and in the certificate created by "cert-manager": 并在“ cert-manager”创建的证书中:
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-staging
Secret Name: monitoring-xxx-com
The secret and the nginx ingress controller are in a different namespace, there is an option where you can set the certificate from another namespace. secret和nginx入口控制器位于不同的名称空间中,这里有一个选项,您可以从另一个名称空间设置证书。
https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/cli-arguments.md https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/cli-arguments.md
--default-ssl-certificate string Name of the secret
that contains a SSL certificate to be used as default for a HTTPS catch-all server.
Takes the form <namespace>/<secret name>.
To find the namespace of your secret: 要找到您的秘密的名称空间:
kubectl describe secrets/monitoring-xxx-com
Using the default-ssl-certificate in the deployment template 在部署模板中使用default-ssl-certificate
spec:
template:
spec:
containers:
- args:
- /nginx-ingress-controller
- "--default-backend-service=$(POD_NAMESPACE)/default-http-backend"
- "--default-ssl-certificate=$(POD_NAMESPACE)/tls-certificate"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.