[英]Issue with Self-signed certificate with Cert-Manager in Kubernetes
I'm trying to add a self-signed certificate in my AKS cluster using Cert-Manager.我正在尝试使用 Cert-Manager 在我的 AKS 群集中添加自签名证书。
I created a ClusterIssuer for the CA certificate (to sign the certificate) and a second ClusterIssuer for the Certificate (self-signed) I want to use.我为 CA 证书(用于签署证书)创建了一个 ClusterIssuer,并为我想要使用的证书(自签名)创建了第二个 ClusterIssuer。
I am not sure if the certificate2 is being used correctly by Ingress as it looks like it is waiting for some event.我不确定 Ingress 是否正确使用了 certificate2,因为它看起来正在等待某个事件。
Am I following the correct way to do this?我是否遵循正确的方法来做到这一点?
This is the first ClusterIssuer "clusterissuer.yml":这是第一个 ClusterIssuer "clusterissuer.yml":
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
This is the CA certificate "certificate.yml":这是 CA 证书“certificate.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-certificate
spec:
secretName: hello-deployment-tls-ca-key-pair
dnsNames:
- "*.default.svc.cluster.local"
- "*.default.com"
isCA: true
issuerRef:
name: selfsigned
kind: ClusterIssuer
This is the second ClusterIssuer "clusterissuer2.yml" for the certificate i want to use:这是我要使用的证书的第二个 ClusterIssuer "clusterissuer2.yml":
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: hello-deployment-tls
spec:
ca:
secretName: hello-deployment-tls-ca-key-pair
and finally this is the self-signed certificate "certificate2.yml":最后这是自签名证书“certificate2.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-certificate2
spec:
secretName: hello-deployment-tls-ca-key-pair2
dnsNames:
- "*.default.svc.cluster.local"
- "*.default.com"
isCA: false
issuerRef:
name: hello-deployment-tls
kind: ClusterIssuer
I am using this certificate in an Ingress:我在 Ingress 中使用此证书:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "hello-deployment-tls"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
name: sonar-ingress
spec:
tls:
- secretName: "hello-deployment-tls-ca-key-pair2"
rules:
- http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: sonarqube
servicePort: 80
As I do not have any registered domain name I just want to use the public IP to access the service over https: https://<Public_IP>由于我没有任何注册域名,我只想使用公共 IP 通过 https 访问服务:https://<Public_IP>
When I access to the service https://<Public_IP> i can see that "Kubernetes Ingress Controller Fake Certificate" so i guess this is because the certificate is not globally recognize by the browser.当我访问服务 https://<Public_IP> 时,我可以看到“Kubernetes Ingress Controller Fake Certificate”,所以我猜这是因为该证书未被浏览器全局识别。
The strange thing is here.奇怪的事情就在这里。 Theoretically the Ingress deployment is using the "selfsigned-certificate2" but looks like it is not ready:
理论上,Ingress 部署使用的是“selfsigned-certificate2”,但看起来还没有准备好:
kubectl get certificate
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 4h29m
selfsigned-certificate2 False hello-deployment-tls-ca-key-pair2 3h3m
selfsigned-secret True selfsigned-secret 5h25m
kubectl describe certificate selfsigned-certificate2
.
.
.
Spec:
Dns Names:
*.default.svc.cluster.local
*.default.com
Issuer Ref:
Kind: ClusterIssuer
Name: hello-deployment-tls
Secret Name: hello-deployment-tls-ca-key-pair2
Status:
Conditions:
Last Transition Time: 2021-10-15T11:16:15Z
Message: Waiting for CertificateRequest "selfsigned-certificate2-3983093525" to complete
Reason: InProgress
Status: False
Type: Ready
Events: <none>
Any idea?任何的想法?
Thank you in advance.先感谢您。
First I noticed you're using v1alpha2
apiVersion which is depricated and will be removed in 1.6
cert-manager:首先,我注意到您使用的是已
v1alpha2
apiVersion,并将在1.6
cert-manager 中删除:
$ kubectl apply -f cluster-alpha.yaml
Warning: cert-manager.io/v1alpha2 ClusterIssuer is deprecated in v1.4+, unavailable in v1.6+; use cert-manager.io/v1 ClusterIssuer
I used apiVersion: cert-manager.io/v1
in reproduction.我在复制中使用了
apiVersion: cert-manager.io/v1
。
Same for v1beta1
ingress, consider updating it to networking.k8s.io/v1
. v1beta1
入口也是如此,考虑将其更新为networking.k8s.io/v1
。
I started reproducing your setup step by step.我开始逐步重现您的设置。
I applied clusterissuer.yaml
:我申请了
clusterissuer.yaml
:
$ kubectl apply -f clusterissuer.yaml
clusterissuer.cert-manager.io/selfsigned created
$ kubectl get clusterissuer
NAME READY AGE
selfsigned True 11s
Pay attention that READY
is set to True
.请注意
READY
设置为True
。
Next I applied certificate.yaml
:接下来我申请了
certificate.yaml
:
$ kubectl apply -f cert.yaml
certificate.cert-manager.io/selfsigned-certificate created
$ kubectl get cert
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 7s
Next step is to add the second ClusterIssuer
which is referenced to hello-deployment-tls-ca-key-pair
secret:下一步是添加引用
hello-deployment-tls-ca-key-pair
秘密的第二个ClusterIssuer
:
$ kubectl apply -f clusterissuer2.yaml
clusterissuer.cert-manager.io/hello-deployment-tls created
$ kubectl get clusterissuer
NAME READY AGE
hello-deployment-tls False 6s
selfsigned True 3m50
ClusterIssuer hello-deployment-tls
is not ready. ClusterIssuer
hello-deployment-tls
未准备好。 Here's why:原因如下:
$ kubectl describe clusterissuer hello-deployment-tls
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrGetKeyPair 10s (x5 over 75s) cert-manager Error getting keypair for CA issuer: secret "hello-deployment-tls-ca-key-pair" not found
Warning ErrInitIssuer 10s (x5 over 75s) cert-manager Error initializing issuer: secret "hello-deployment-tls-ca-key-pair" not found
This is expected behaviour since:这是预期的行为,因为:
When referencing a Secret resource in ClusterIssuer resources (eg apiKeySecretRef) the Secret needs to be in the same namespace as the cert-manager controller pod.
在 ClusterIssuer 资源(例如 apiKeySecretRef)中引用 Secret 资源时,该 Secret 需要与 cert-manager 控制器 pod 位于相同的命名空间中。 You can optionally override this by using the --cluster-resource-namespace argument to the controller.
您可以选择使用控制器的 --cluster-resource-namespace 参数覆盖它。
I edited the cert-manager
deployment so it will look for secrets
in default
namespace (this is not ideal, I'd use issuer
instead in default
namespace):我编辑了
cert-manager
部署,因此它将在default
命名空间中查找secrets
(这并不理想,我会在default
命名空间中使用issuer
):
$ kubectl edit deploy cert-manager -n cert-manager
spec:
containers:
- args:
- --v=2
- --cluster-resource-namespace=default
It takes about a minute for cert-manager
to start. cert-manager
启动大约需要一分钟。 Redeployed clusterissuer2.yaml
:重新部署的
clusterissuer2.yaml
:
$ kubectl delete -f clusterissuer2.yaml
clusterissuer.cert-manager.io "hello-deployment-tls" deleted
$ kubectl apply -f clusterissuer2.yaml
clusterissuer.cert-manager.io/hello-deployment-tls created
$ kubectl get clusterissuer
NAME READY AGE
hello-deployment-tls True 3s
selfsigned True 5m42s
Both are READY
.两者都
READY
。 Moving forward with certificate2.yaml
:继续使用
certificate2.yaml
:
$ kubectl apply -f cert2.yaml
certificate.cert-manager.io/selfsigned-certificate2 created
$ kubectl get cert
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 33s
selfsigned-certificate2 True hello-deployment-tls-ca-key-pair2 6s
$ kubectl get certificaterequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
selfsigned-certificate-jj98f True True selfsigned system:serviceaccount:cert-manager:cert-manager 52s
selfsigned-certificate2-jwq5c True True hello-deployment-tls system:serviceaccount:cert-manager:cert-manager 25s
When host
is not added to ingress
, it doesn't create any certificates and seems to used some fake one from ingress
which is issued by CN = Kubernetes Ingress Controller Fake Certificate
.当
host
未添加到ingress
,它不会创建任何证书,并且似乎使用了一些来自ingress
CN = Kubernetes Ingress Controller Fake Certificate
由CN = Kubernetes Ingress Controller Fake Certificate
。
Events from ingress
:来自
ingress
事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning BadConfig 5s cert-manager TLS entry 0 is invalid: secret "example-cert" for ingress TLS has no hosts specified
When I added DNS to ingress
:当我将 DNS 添加到
ingress
:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 4s cert-manager Successfully created Certificate "example-cert"
You don't need to create a certificate if you're referencing to issuer
in ingress
rule.你并不需要,如果你引用来创建证书
issuer
在ingress
规则。 Ingress will issue certificate for you when all details are presented, such as: Ingress 会在提供所有详细信息后为您颁发证书,例如:
cert-manager.io/cluster-issuer: "hello-deployment-tls"
cert-manager.io/cluster-issuer: "hello-deployment-tls"
spec.tls
part with host within spec.tls
部分与主机内spec.rules.host
OR或者
if you want to create certificate manually and ask ingress to use it, then:如果您想手动创建证书并要求 ingress 使用它,则:
cert-manager.io/cluster-issuer: "hello-deployment-tls"
cert-manager.io/cluster-issuer: "hello-deployment-tls"
ingress rule
.ingress rule
引用它。 You can check certificate details in browser and find that it no longer has issuer as CN = Kubernetes Ingress Controller Fake Certificate
, in my case it's empty.您可以在浏览器中检查证书详细信息,发现它不再具有颁发者
CN = Kubernetes Ingress Controller Fake Certificate
,在我的情况下它是空的。
Initially I used a bit outdated cert-manager v1.4
and got this issue which has gone after updating to 1.4.1
.最初我使用了一个有点过时的
cert-manager v1.4
并且在更新到1.4.1
后遇到了这个问题。
It looks like:看起来像:
$ kubectl describe certificaterequest selfsigned-certificate2-45k2c
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 41s cert-manager Certificate request has been approved by cert-manager.io
Warning DecodeError 41s cert-manager Failed to decode returned certificate: error decoding certificate PEM block
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.