使用cert-manager istio ingress和LetsEncrypt在kubernetes中配置SSL证书
[英]Configure SSL certificates in kubernetes with cert-manager istio ingress and LetsEncrypt
问题描述
I'm trying to configure SSL certificates in kubernetes with cert-manager, istio ingress and LetsEncrypt. 
我正在尝试使用cert-manager,istio ingress和LetsEncrypt在kubernetes中配置SSL证书。 I have installed istio with helm, cert-manager, created ClusterIssuer and then I'm trying to create a Certificate. 我已经使用helm,cert-manager安装了istio,创建了ClusterIssuer,然后我正在尝试创建一个Certificate。 The acme challenge can't be validated, i'm trying to do it with http01 and can't figure it out how to use istio ingress for this. 极致挑战无法验证,我正在尝试使用http01并且无法弄清楚如何使用istio ingress。 Istio is deployed with following options: Istio部署有以下选项:
helm install --name istio install/kubernetes/helm/istio ` --namespace istio-system ` --set global.controlPlaneSecurityEnabled=true ` --set grafana.enabled=true` --set tracing.enabled=true --set kiali.enabled=true ` --set ingress.enabled=true
Certificate configuration: 证书配置:
apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: example.com namespace: istio-system spec: secretName: example.com issuerRef: name: letsencrypt-staging kind: ClusterIssuer commonName: 'example.com' dnsNames: - example.com acme: config: - http01: ingress: istio-ingress domains: - example.com
When trying this way, for some reason, istio-ingress can't be found, but when trying to specify ingressClass: some-name, instead of ingress: istio-ingress, I get 404 because example.com/.well-known/acme-challenge/token can't be reached. 当尝试这种方式时,由于某种原因,无法找到istio-ingress,但是当尝试指定ingressClass:some-name而不是ingress:istio-ingress时,我得到404因为example.com/.well-known/无法达到极限挑战/令牌。 How can this be solved? 怎么解决这个问题? Thank you! 谢谢!
2 个解决方案
解决方案1
2 2019-03-06 14:26:59
Istio ingress has been deprecated, you can use the Ingress Gateway with the DNS challenge. Istio ingress已被弃用,您可以将Ingress Gateway与DNS挑战一起使用。
Define a generic public ingress gateway: 定义通用公共入口网关:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: public-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
Create an issuer using one of the DNS providers supported by cert-manager. 使用cert-manager支持的DNS提供程序之一创建颁发者。 Here is the config for GCP CloudDNS: 以下是GCP CloudDNS的配置:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: istio-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: email@example.com
privateKeySecretRef:
name: letsencrypt-prod
dns01:
providers:
- name: cloud-dns
clouddns:
serviceAccountSecretRef:
name: cert-manager-credentials
key: gcp-dns-admin.json
project: my-gcp-project
Create a wildcard cert with: 使用以下命令创建通配符证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: istio-gateway
namespace: istio-system
spec:
secretname: istio-ingressgateway-certs
issuerRef:
name: letsencrypt-prod
commonName: "*.example.com"
acme:
config:
- dns01:
provider: cloud-dns
domains:
- "*.example.com"
- "example.com"
It takes of couple of minutes for cert-manager to issue the cert: 颁发证书需要几分钟时间才能颁发证书:
kubectl -n istio-system describe certificate istio-gateway
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CertIssued 1m52s cert-manager Certificate issued successfully
You can find a step-by-step guide on setting up Istio ingress on GKE with Let's Encrypt here https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup 您可以在此处找到有关在GKE上设置Istio ingress的分步指南,请点击此处https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup
解决方案2
1 已采纳 2019-03-13 10:07:39
The solution was to move DNS to azure and use dns validation for generating the certificate. 解决方案是将DNS移至azure并使用dns验证生成证书。 I also used istio-1.1.0-rc.3 and configured the gateway in the following way: 我还使用了istio-1.1.0-rc.3并按以下方式配置了网关:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - hosts: - 'mydomain.com' port: name: http-bookinfo number: 80 protocol: HTTP tls: httpsRedirect: true - hosts: - 'mydomain.com' port: name: https-bookinfo number: 443 protocol: HTTPS tls: mode: SIMPLE serverCertificate: "use sds" #random string, because serverCertificate and #privateKey are required for tls.mode=SIMPLE privateKey: "use sds" credentialName: "istio-bookinfo-certs-staging" #this must match the secret name #from the certificate
为了在入口网关上启用SDS:
helm template install/kubernetes/helm/istio/ --name istio ` --namespace istio-system -x charts/gateways/templates/deployment.yaml ` --set gateways.istio-egressgateway.enabled=false ` --set gateways.istio-ingressgateway.sds.enabled=true > ` $HOME/istio-ingressgateway.yaml kubectl apply -f $HOME/istio-ingressgateway.yaml
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.