ingress-nginx、cert-manager 和 ingressClassName
[英]ingress-nginx, cert-manager and ingressClassName
问题描述
I recently upgraded ingress-nginx to version 1.0.3.
我最近将ingress-nginx升级到了 1.0.3 版。
As a result, I removed the kubernetes.io/ingress.class annotation from my ingress, and put .spec.ingressClassName instead.因此,我从 ingress 中删除了kubernetes.io/ingress.class注释,并使用.spec.ingressClassName代替。
I am running cert-manager-v1.4.0 .我正在运行cert-manager-v1.4.0 。
This morning I had an email saying that my Let's Encrypt certificate will expire in 10 days.今天早上我收到一封电子邮件,说我的 Let's Encrypt 证书将在 10 天后过期。 I tried to figure out what was wrong with it - not positive that it was entirely due to the ingress-nginx upgrade.我试图找出它有什么问题 - 不肯定这完全是由于 ingress-nginx 升级。
I deleted the CertificateRequest to see if it would fix itself.我删除了CertificateRequest以查看它是否会自行修复。 I got a new Ingress with the challenge, but:我通过挑战获得了一个新的Ingress ,但是:
The challenge ingress had the
kubernetes.io/ingress.classannotation set correctly, even though my ingress has.spec.ingressClassNameinstead - don't know how or why, but it seems like it should be OK.挑战入口正确设置了kubernetes.io/ingress.class注释,即使我的入口使用.spec.ingressClassName代替 - 不知道如何或为什么,但似乎应该没问题。However, the challenge ingress wasn't picked up by the ingress controller, it said:
但是,入口控制器没有接收到挑战入口,它说:
ingress class annotation is not equal to the expected by Ingress Controller
I guess it wants only the .spec.ingressClassName even though I thought the annotation was supposed to work as well.我想它只需要.spec.ingressClassName即使我认为注释也应该起作用。
So I manually set .spec.ingressClassName on the challenge ingress.所以我在挑战入口上手动设置.spec.ingressClassName 。 It was immediately seen by the ingress controller, and the rest of the process ran smoothly, and I got a new cert - yay.入口控制器立即看到了它,其余的过程运行顺利,我得到了一个新证书 - 是的。
It seems to me like this will happen again, so I need to know how to either:在我看来,这种情况会再次发生,所以我需要知道如何:
Convince
cert-managerto create the challenge ingress with.spec.ingressClassNameinstead ofkubernetes.io/ingress.class.说服cert-manager使用.spec.ingressClassName而不是kubernetes.io/ingress.class创建挑战入口。 Maybe this is fixed in 1.5 or 1.6?也许这是在 1.5 或 1.6 中修复的?Convince
ingress-nginxto respect thekubernetes.io/ingress.classannotation for the challenge ingress.说服ingress-nginx尊重挑战入口的kubernetes.io/ingress.class注释。 I don't know why this doesn't work.我不知道为什么这不起作用。
1 个解决方案
解决方案1
0 2021-10-21 08:11:33
Issue问题
The issue was fixed by certificate renewal, it works fine without manually set spec.ingressClassName in challenge ingress (I saw it with older version), issue was somewhere else.该问题已通过证书续订解决,无需在挑战入口中手动设置spec.ingressClassName即可正常工作(我在旧版本中看到过),问题出在其他地方。
Also with last available (at the writing moment) cert-manager v1.5.4 challenge ingress has the right setup "out of the box":同样在最后可用的(在编写时) cert-manager v1.5.4挑战入口具有“开箱即用”的正确设置:
spec:
ingressClassName: nginx
---
$ kubectl get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
cm-acme-http-solver-szxfg nginx dummy-host ip_address 80 11s
How it works (concept)工作原理(概念)
I'll describe main steps how this process works so troubleshooting will be straight-forward in almost all cases.我将描述此过程如何工作的主要步骤,以便在几乎所有情况下都可以直接进行故障排除。 I'll take a letsencypt staging as an issuer .我将作为issuer进行letsencypt staging 。
There's a chain when certificate is requested to be created which issuer follows to complete (all resources have owners - previous resource in chain):当请求创建certificate时有一个链, issuer遵循该链来完成(所有资源都有所有者 - 链中的先前资源):
main ingress resource -> certificate -> certificaterequest -> order -> challenge -> challenge ingress . main ingress resource -> certificate -> certificaterequest -> order -> challenge -> challenge ingress 。
Knowing this, if something failed, you can go down by the chain and using kubectl describe command find where the issue appeared.知道了这一点,如果出现问题,您可以通过链向下并使用kubectl describe命令查找问题出现的位置。
Troubleshooting example故障排除示例
I intentionally added a wrong domain in ingress to .spec.tls.hosts and applied it.我故意在入口.spec.tls.hosts错误的域添加到.spec.tls.hosts并应用它。 Below how the chain will look like (all names will be unique!):下面是链的样子(所有名称都是唯一的!):
See certificates:见证书:
$ kubectl get cert
NAME READY SECRET AGE
lets-secret-test-2 False lets-secret-test-2 15m
Describe certificate we are interested in (you can notice I changed domain, there was already secret):描述我们感兴趣的certificate (你可以注意到我改变了域,已经有秘密了):
$ kubectl describe cert lets-secret-test-2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 16m cert-manager Existing issued Secret is not up to date for spec: [spec.commonName spec.dnsNames]
Normal Reused 16m cert-manager Reusing private key stored in existing Secret resource "lets-secret-test-2"
Normal Requested 16m cert-manager Created new CertificateRequest resource "lets-secret-test-2-pvb25"
Nothing suspicious here, moving forward.这里没什么可疑的,继续前进。
$ kubectl get certificaterequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
lets-secret-test-2-pvb25 True False letsencrypt-staging system:serviceaccount:cert-manager:cert-manager 19m
Describing certificaterequest :描述certificaterequest请求:
$ kubectl describe certificaterequest lets-secret-test-2-pvb25
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 19m cert-manager Certificate request has been approved by cert-manager.io
Normal OrderCreated 19m cert-manager Created Order resource default/lets-secret-test-2-pvb25-2336849393
Again, everything looks fine, no errors, moving forward to order :同样,一切看起来都很好,没有错误,继续order :
$ kubectl get order
NAME STATE AGE
lets-secret-test-2-pvb25-2336849393 pending 21m
It says pending , that's closer:它说pending ,那更接近:
$ kubectl describe order lets-secret-test-2-pvb25-2336849393
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 21m cert-manager Created Challenge resource "lets-secret-test-2-pvb25-2336849393-3788447910" for domain "dummy-domain"
Challenge may shed some light, moving forward: Challenge可能会有所启发,继续前进:
$ kubectl get challenge
NAME STATE DOMAIN AGE
lets-secret-test-2-pvb25-2336849393-3788447910 pending dummy-domain 23m
Describing it:描述它:
$ kubectl describe challenge lets-secret-test-2-pvb25-2336849393-3788447910
Checking status :检查status :
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://dummy-domain/.well-known/acme-challenge/xxxxyyyyzzzzz': Get "http://dummy-domain/.well-known/acme-challenge/xxxxyyyyzzzzz": dial tcp: lookup dummy-domain on xx.yy.zz.ww:53: no such host
State: pending
Now it's clear that something is wrong with domain , worth checking it:现在很明显domain ,值得检查一下:
Found and fixed the mistake :发现并修复了mistake :
$ kubectl apply -f ingress.yaml
ingress.networking.k8s.io/ingress configured
Secret is ready !秘密ready !
$ kubectl get cert
NAME READY SECRET AGE
lets-secret-test-2 True lets-secret-test-2 26m
Correct way to renew a certificate using cert-manager使用 cert-manager 更新证书的正确方法
It's possible to renew a certificate by deleting corresponding secret, however documentation says it's not recommended :可以通过删除相应的机密来更新证书,但是文档说不推荐这样做:
Deleting the Secret resource associated with a Certificate resource is not a recommended solution for manually rotating the private key.
kubectl cert-manager renew cert-1
Kubectl cert-manager command installation process is describedhere as well as other commands and examples. Kubectl cert-manager命令安装过程在这里描述以及其他命令和示例。
Useful links:有用的链接:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.