堆栈内存溢出
  简体   繁体   English

Kubernetes:cert-manager 证书保持挂起状态

[英]Kubernetes: cert-manager certificate is keep in pending state

 原文  2020-02-03 08:01:12       ssl/ kubernetes/ kubernetes-helm/ lets-encrypt/ cert-manager

问题描述

I have installed cert-manager 0.12.0 for SSL certificate.我已经为 SSL 证书安装了 cert-manager 0.12.0。

My Issuer file is我的发行人文件是

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my@email.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

My certificate file我的证书文件

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: tls-secret
spec:
  secretName: tls-secret-prod
  dnsNames:
  - mydomain.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - mydomain.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

Ingress configuration is入口配置是

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cms
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - hosts:
    - mydomain.com
    secretName: tls-secret-prod
  rules:
  - host: mydomain.com
    http:
      paths:
      - backend:
          serviceName: apostrophe
          servicePort: 80
        path: /

But still, SSL certificated is not valid.但是,经过 SSL 认证的 SSL 仍然无效。 And Common name is “Kubernetes Ingress Controller Fake Certificate”.通用名称是“Kubernetes Ingress Controller Fake Certificate”。

The following result to show orders and challenges以下结果显示订单和挑战

kubectl get orders, challenges -o wide
NAME                                                  STATE     DOMAIN            REASON                                                                                                        AGE
challenge.certmanager.k8s.io/tls-secret-155743219-0   pending   mydomain.com   pods "cm-acme-http-solver-gk2zx" is forbidden: minimum cpu usage per Container is 100m, but request is 10m.   26m

I have updated the resources limit the range and reinstalled cert-manager with helm.我已经更新了资源限制范围并用 helm 重新安装了 cert-manager。 I am still getting this error.我仍然收到此错误。 I am not sure what goes wrong or show how to fix this.我不确定出了什么问题,也不知道如何解决这个问题。

Please let me know if you need anything.如果您需要什么,请告诉我。 Thanks in advance!提前致谢!

1 个解决方案

解决方案1
 1  2020-02-03 11:49:55

The problem lays in cpu limits defined for specific pod.问题在于为特定 pod 定义的 CPU 限制。 You have to change minimum CPU limit in deployment configuration file.您必须在部署配置文件中更改最低 CPU 限制。 As you can see pod ( cm-acme-http-solver ) is requesting 100m CPU usage while minimum CPU usage defined for specific pod is *10m**.如您所见,pod ( cm-acme-http-solver ) 请求100m CPU 使用率,而为特定 pod 定义的最低 CPU 使用率是 *10m**。 So change CPU limits in deployment configuration file from 100m to 10m or less or you can also increase CPU requests.因此,将部署配置文件中的 CPU 限制从100m更改为10m或更小,或者您也可以增加 CPU 请求。

Take a look here: cert-manager-kubernetes , pod-min-cpu-request .看看这里: cert-manager-kubernetespod-min-cpu-request

Useful article: resources-limits-kubernetes .有用的文章: resources-limits-kubernetes

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Kubernetes cert-manager 证书已创建但无法验证 - Kubernetes cert-manager certificate is created but can not get vertified 将 cert-manager 证书移动到另一个 Kubernetes 集群 - Move cert-manager certificate to another Kubernetes cluster Kubernetes 证书管理器 GoDaddy - Kubernetes cert-manager GoDaddy Kubernetes 证书管理器问题 - Kubernetes cert-manager issue 带有证书管理器的 Istio Kubernetes 入口:版本“certmanager.k8s.io/v1alpha1”中的种类“证书”不匹配 - Istio Kubernetes Ingress with Cert-Manager: no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1" 在 Kubernetes 和 nginx 入口上使用客户端证书身份验证时,如何修复 cert-manager 对 Let's Encrypt ACME 挑战的响应? - How to fix cert-manager responses to Let's Encrypt ACME challenges when using client certificate authentication on Kubernetes with nginx ingress? Cert-Manager 为 AKS 提供自己的 SSL 证书 - Cert-Manager provide own SSL Certificate for AKS Cert-Manager 证书创建停留在 Created new CertificateRequest 资源 - Cert-Manager Certificate creation stuck at Created new CertificateRequest resource 使用cert-manager istio ingress和LetsEncrypt在kubernetes中配置SSL证书 - Configure SSL certificates in kubernetes with cert-manager istio ingress and LetsEncrypt kubernetes - Nginx,证书管理器,安装的秘密文件更新问题 - kubernetes - Nginx, cert-manager, mounted secret file renewal issue
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM