未应用带有证书管理器的入口TLS路由
[英]Ingress TLS routes with cert-manager not applied
问题描述
I have a K8s cluster (v1.12.8-gke.10) in GKE and have a nginx ingress with hosts rules. 
我在GKE中有一个K8s集群(v1.12.8-gke.10),并且具有主机规则的nginx入口。 I am trying to enable TLS using cert-manager for ingress routes. 我正在尝试使用cert-manager为入口路由启用TLS。 I am using a selfsign cluster issuer. 我正在使用自签名群集发行者。 But, when I access the site over HTTPS, I am still getting the default K8s certificate. 但是,当我通过HTTPS访问该站点时,仍会获得默认的K8s证书。 (The certificate is only valid for the following names: kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local) (该证书仅对以下名称有效:kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: test
name: test
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/rewrite-target: /
certmanager.k8s.io/cluster-issuer: selfsign
spec:
tls:
- secretName: test
hosts:
- test.example.com
rules:
- host: test.example.com
http:
paths:
- path: /
backend:
serviceName: test
servicePort: 80
I have checked the following and is working fine: 我检查了以下内容,并且工作正常:
- A cluster issuer named "selfsign" 一个名为“ selfsign”的集群发行者
- A valid self-signed certificate backed by a secret "test" 由秘密“测试”支持的有效的自签名证书
- A healthy and running nginx ingress deployment 健康且正在运行的Nginx入口部署
- A healthy and running ingress service of type load-balancer 类型负载均衡器的健康且正在运行的入口服务
2 个解决方案
解决方案1
0 2019-09-10 05:35:46
I think it's issue of clusterissuer 我认为这是clusterissuer的问题
Just have a look at my cluster issuer and check 看看我的集群发行者并检查
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: it-support@something.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: prod
# Enable the HTTP-01 challenge provider
http01: {}
Check for the right url to get production-grade certificates: 检查正确的URL以获取生产级证书:
server: https://acme-v02.api.letsencrypt.org/directory
If your server url is something like this : 如果您的服务器网址是这样的:
server: https://acme-staging-v02.api.letsencrypt.org/directory
which means you are applying for the staging certificate which may occur the error. 这表示您正在申请可能会发生错误的登台证书。
解决方案2
0 2019-09-12 08:55:43
I've followed the tutorial from Digital Ocean and was able to enable TLS using cert-manager for ingress routes using Helm, Tiller, Letsencrypt and Nginx Ingress controller in GKE. 我遵循了Digital Ocean的教程,并能够使用cert-manager为GKE中的Helm,Tiller,Letsencrypt和Nginx Ingress控制器使用入口路由启用TLS。
Instead of host test-example.com, I used my own domain name and spun up dummy backend services (echo1 and echo2) for testing purposes. 我使用自己的域名而不是主机test-example.com,并出于测试目的而启动了虚拟后端服务(echo1和echo2)。
After followed the tutorial and to verify that HTTPS is working correctly, try to curl the host: 在遵循了本教程并验证HTTPS是否正常工作之后,请尝试对主机进行卷曲:
$ curl test.example.com $ curl test.example.com
you should see a 308 http response (Permanent Redirect). 您应该会看到308 http响应(永久重定向)。 This indicates that HTTP requests are being redirected to use HTTPS. 这表明HTTP请求正在被重定向为使用HTTPS。
On the other hand, try running curl on: 另一方面,尝试运行curl:
$ curl https://test.example.com $ curl https://test.example.com
Should show you the site response. 应该向您显示站点响应。
You can run the previous commands with the verbose -v flag to check into the certificate handshake and to verify the certificate information. 您可以使用verbose -v标志运行前面的命令,以检入证书握手并验证证书信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.