[英]ingress-nginx, cert-manager and ingressClassName
I recently upgraded ingress-nginx
to version 1.0.3.我最近将
ingress-nginx
升级到了 1.0.3 版。
As a result, I removed the kubernetes.io/ingress.class
annotation from my ingress, and put .spec.ingressClassName
instead.因此,我从 ingress 中删除了
kubernetes.io/ingress.class
注释,并使用.spec.ingressClassName
代替。
I am running cert-manager-v1.4.0
.我正在运行
cert-manager-v1.4.0
。
This morning I had an email saying that my Let's Encrypt certificate will expire in 10 days.今天早上我收到一封电子邮件,说我的 Let's Encrypt 证书将在 10 天后过期。 I tried to figure out what was wrong with it - not positive that it was entirely due to the ingress-nginx upgrade.
我试图找出它有什么问题 - 不肯定这完全是由于 ingress-nginx 升级。
I deleted the CertificateRequest
to see if it would fix itself.我删除了
CertificateRequest
以查看它是否会自行修复。 I got a new Ingress
with the challenge, but:我通过挑战获得了一个新的
Ingress
,但是:
The challenge ingress had the kubernetes.io/ingress.class
annotation set correctly, even though my ingress has .spec.ingressClassName
instead - don't know how or why, but it seems like it should be OK.挑战入口正确设置了
kubernetes.io/ingress.class
注释,即使我的入口使用.spec.ingressClassName
代替 - 不知道如何或为什么,但似乎应该没问题。
However, the challenge ingress wasn't picked up by the ingress controller, it said:但是,入口控制器没有接收到挑战入口,它说:
ingress class annotation is not equal to the expected by Ingress Controller
I guess it wants only the .spec.ingressClassName
even though I thought the annotation was supposed to work as well.我想它只需要
.spec.ingressClassName
即使我认为注释也应该起作用。
So I manually set .spec.ingressClassName
on the challenge ingress.所以我在挑战入口上手动设置
.spec.ingressClassName
。 It was immediately seen by the ingress controller, and the rest of the process ran smoothly, and I got a new cert - yay.入口控制器立即看到了它,其余的过程运行顺利,我得到了一个新证书 - 是的。
It seems to me like this will happen again, so I need to know how to either:在我看来,这种情况会再次发生,所以我需要知道如何:
Convince cert-manager
to create the challenge ingress with .spec.ingressClassName
instead of kubernetes.io/ingress.class
.说服
cert-manager
使用.spec.ingressClassName
而不是kubernetes.io/ingress.class
创建挑战入口。 Maybe this is fixed in 1.5 or 1.6?也许这是在 1.5 或 1.6 中修复的?
Convince ingress-nginx
to respect the kubernetes.io/ingress.class
annotation for the challenge ingress.说服
ingress-nginx
尊重挑战入口的kubernetes.io/ingress.class
注释。 I don't know why this doesn't work.我不知道为什么这不起作用。
The issue was fixed by certificate renewal, it works fine without manually set spec.ingressClassName
in challenge ingress (I saw it with older version), issue was somewhere else.该问题已通过证书续订解决,无需在挑战入口中手动设置
spec.ingressClassName
即可正常工作(我在旧版本中看到过),问题出在其他地方。
Also with last available (at the writing moment) cert-manager v1.5.4
challenge ingress has the right setup "out of the box":同样在最后可用的(在编写时)
cert-manager v1.5.4
挑战入口具有“开箱即用”的正确设置:
spec:
ingressClassName: nginx
---
$ kubectl get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
cm-acme-http-solver-szxfg nginx dummy-host ip_address 80 11s
I'll describe main steps how this process works so troubleshooting will be straight-forward in almost all cases.我将描述此过程如何工作的主要步骤,以便在几乎所有情况下都可以直接进行故障排除。 I'll take a
letsencypt staging
as an issuer
.我将作为
issuer
进行letsencypt staging
。
There's a chain when certificate
is requested to be created which issuer
follows to complete (all resources have owners - previous resource in chain):当请求创建
certificate
时有一个链, issuer
遵循该链来完成(所有资源都有所有者 - 链中的先前资源):
main ingress resource
-> certificate
-> certificaterequest
-> order
-> challenge
-> challenge ingress
. main ingress resource
-> certificate
-> certificaterequest
-> order
-> challenge
-> challenge ingress
。
Knowing this, if something failed, you can go down by the chain and using kubectl describe
command find where the issue appeared.知道了这一点,如果出现问题,您可以通过链向下并使用
kubectl describe
命令查找问题出现的位置。
I intentionally added a wrong domain in ingress to .spec.tls.hosts
and applied it.我故意在入口
.spec.tls.hosts
错误的域添加到.spec.tls.hosts
并应用它。 Below how the chain will look like (all names will be unique!):下面是链的样子(所有名称都是唯一的!):
See certificates:见证书:
$ kubectl get cert
NAME READY SECRET AGE
lets-secret-test-2 False lets-secret-test-2 15m
Describe certificate
we are interested in (you can notice I changed domain, there was already secret):描述我们感兴趣的
certificate
(你可以注意到我改变了域,已经有秘密了):
$ kubectl describe cert lets-secret-test-2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 16m cert-manager Existing issued Secret is not up to date for spec: [spec.commonName spec.dnsNames]
Normal Reused 16m cert-manager Reusing private key stored in existing Secret resource "lets-secret-test-2"
Normal Requested 16m cert-manager Created new CertificateRequest resource "lets-secret-test-2-pvb25"
Nothing suspicious here, moving forward.这里没什么可疑的,继续前进。
$ kubectl get certificaterequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
lets-secret-test-2-pvb25 True False letsencrypt-staging system:serviceaccount:cert-manager:cert-manager 19m
Describing certificaterequest
:描述
certificaterequest
请求:
$ kubectl describe certificaterequest lets-secret-test-2-pvb25
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 19m cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 19m cert-manager Created Order resource default/lets-secret-test-2-pvb25-2336849393
Again, everything looks fine, no errors, moving forward to order
:同样,一切看起来都很好,没有错误,继续
order
:
$ kubectl get order
NAME STATE AGE
lets-secret-test-2-pvb25-2336849393 pending 21m
It says pending
, that's closer:它说
pending
,那更接近:
$ kubectl describe order lets-secret-test-2-pvb25-2336849393
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 21m cert-manager Created Challenge resource "lets-secret-test-2-pvb25-2336849393-3788447910" for domain "dummy-domain"
Challenge
may shed some light, moving forward: Challenge
可能会有所启发,继续前进:
$ kubectl get challenge
NAME STATE DOMAIN AGE
lets-secret-test-2-pvb25-2336849393-3788447910 pending dummy-domain 23m
Describing it:描述它:
$ kubectl describe challenge lets-secret-test-2-pvb25-2336849393-3788447910
Checking status
:检查
status
:
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://dummy-domain/.well-known/acme-challenge/xxxxyyyyzzzzz': Get "http://dummy-domain/.well-known/acme-challenge/xxxxyyyyzzzzz": dial tcp: lookup dummy-domain on xx.yy.zz.ww:53: no such host
State: pending
Now it's clear that something is wrong with domain
, worth checking it:现在很明显
domain
,值得检查一下:
Found and fixed the mistake
:发现并修复了
mistake
:
$ kubectl apply -f ingress.yaml
ingress.networking.k8s.io/ingress configured
Secret is ready
!秘密
ready
!
$ kubectl get cert
NAME READY SECRET AGE
lets-secret-test-2 True lets-secret-test-2 26m
It's possible to renew a certificate by deleting corresponding secret, however documentation says it's not recommended :可以通过删除相应的机密来更新证书,但是文档说不推荐这样做:
Deleting the Secret resource associated with a Certificate resource is not a recommended solution for manually rotating the private key.
删除与证书资源关联的 Secret 资源不是手动轮换私钥的推荐解决方案。 The recommended way to manually rotate the private key is to trigger the reissuance of the Certificate resource with the following command (requires the kubectl cert-manager plugin):
手动轮换私钥的推荐方式是使用以下命令触发证书资源的重新发布(需要 kubectl cert-manager 插件):
kubectl cert-manager renew cert-1
Kubectl cert-manager
command installation process is describedhere as well as other commands and examples. Kubectl cert-manager
命令安装过程在这里描述以及其他命令和示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.