[英]Is the annotation cert-manager.io/cluster-issuer: acme-issuer enough to generate a TLS certificate?
From the cert-manager
doc: adding the annotation cert-manager.io/cluster-issuer: acme-issuer
to an Ingress
object should trigger the shim, request a certificate to this issuer, and store the certificate (without any namespace?) (with which name?).来自cert-manager
文档:将注释cert-manager.io/cluster-issuer: acme-issuer
添加到Ingress
object 应该触发 shim,向该颁发者请求证书,并存储证书(没有任何命名空间?)(用什么名字?)。
I tried this and it does nothing.我试过了,但它什么也没做。 Adding a tls:
section to the yaml definition of the Ingress
does trigger the shim, request a certificate and store it in the same namespace as the Ingress
.在Ingress
的 yaml 定义中添加一个tls:
部分会触发 shim,请求证书并将其存储在与Ingress
相同的命名空间中。
This means the doc is incorrect, or should it really work without a tls:
section?这意味着文档不正确,或者它真的应该在没有tls:
部分的情况下工作吗?
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: acme-issuer
spec:
acme:
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: acme-issuer
kubernetes.io/ingress.class: nginx
name: my-ingress-name
namespace: mynamespace
spec:
rules:
- host: some.domain.eu
http:
paths:
- backend:
serviceName: my-service-name
servicePort: 5000
path: /
tls:
- hosts:
- some.domain.eu
secretName: secret-storage-key-for-tls-cert
If you created the issuer correctly, then you need to create a Certificate, so the issuer can issue the certificate using the information you have in the Certificate resource, and populate the secret:如果您正确创建了颁发者,那么您需要创建一个证书,以便颁发者可以使用您在证书资源中拥有的信息颁发证书,并填充密钥:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certname
spec:
secretName: secretName
issuerRef:
name: letsencrypt-prod
commonName: <the CN>
dnsNames:
- <name>
Once you have this resource, it should create a secret containing the TLS certificates, and store it in secretName
.拥有此资源后,它应该创建一个包含 TLS 证书的机密,并将其存储在secretName
。
I'm using like you, and that create my TLS ok.我像你一样使用,这可以创建我的 TLS。 But the name of privateKeySecretRef
is igual ClusterIssuer
name.但是privateKeySecretRef
的名称是igual ClusterIssuer
名称。 The tls section is needed on ingress
. ingress
上需要 tls 部分。
Using:使用:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my@email.com
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Chek the certificate status to debug:检查证书状态以进行调试:
kubectl get certificate -o wide
If the status CertificateRequest
如果状态CertificateRequest
kubectl get CertificateRequest -o wide
i do not know if you resolved your issue but try to check the following:我不知道您是否解决了问题,但请尝试检查以下内容:
nginx
( kubectl get ingressClass
)检查你的 ingressClass 是否确实是nginx
( kubectl get ingressClass
)certificate
, CertificateRequest
, Order
and Challenge
( eg: kubectl describe certificate <your_certificate_object>
)创建入口后,检查是否为 HTTP01 质询验证创建了 acme-pod 和入口,并检查certificate
、 CertificateRequest
、 Order
和Challenge
的状态(例如: kubectl describe certificate <your_certificate_object>
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.