Kubernetes 中使用 Cert-Manager 的自签名证书问题
[英]Issue with Self-signed certificate with Cert-Manager in Kubernetes
问题描述
I'm trying to add a self-signed certificate in my AKS cluster using Cert-Manager.
我正在尝试使用 Cert-Manager 在我的 AKS 群集中添加自签名证书。
I created a ClusterIssuer for the CA certificate (to sign the certificate) and a second ClusterIssuer for the Certificate (self-signed) I want to use.我为 CA 证书(用于签署证书)创建了一个 ClusterIssuer,并为我想要使用的证书(自签名)创建了第二个 ClusterIssuer。
I am not sure if the certificate2 is being used correctly by Ingress as it looks like it is waiting for some event.我不确定 Ingress 是否正确使用了 certificate2,因为它看起来正在等待某个事件。
Am I following the correct way to do this?我是否遵循正确的方法来做到这一点?
This is the first ClusterIssuer "clusterissuer.yml":这是第一个 ClusterIssuer "clusterissuer.yml":
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
This is the CA certificate "certificate.yml":这是 CA 证书“certificate.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-certificate
spec:
secretName: hello-deployment-tls-ca-key-pair
dnsNames:
- "*.default.svc.cluster.local"
- "*.default.com"
isCA: true
issuerRef:
name: selfsigned
kind: ClusterIssuer
This is the second ClusterIssuer "clusterissuer2.yml" for the certificate i want to use:这是我要使用的证书的第二个 ClusterIssuer "clusterissuer2.yml":
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: hello-deployment-tls
spec:
ca:
secretName: hello-deployment-tls-ca-key-pair
and finally this is the self-signed certificate "certificate2.yml":最后这是自签名证书“certificate2.yml”:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-certificate2
spec:
secretName: hello-deployment-tls-ca-key-pair2
dnsNames:
- "*.default.svc.cluster.local"
- "*.default.com"
isCA: false
issuerRef:
name: hello-deployment-tls
kind: ClusterIssuer
I am using this certificate in an Ingress:我在 Ingress 中使用此证书:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "hello-deployment-tls"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
name: sonar-ingress
spec:
tls:
- secretName: "hello-deployment-tls-ca-key-pair2"
rules:
- http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: sonarqube
servicePort: 80
As I do not have any registered domain name I just want to use the public IP to access the service over https: https://<Public_IP>由于我没有任何注册域名,我只想使用公共 IP 通过 https 访问服务:https://<Public_IP>
When I access to the service https://<Public_IP> i can see that "Kubernetes Ingress Controller Fake Certificate" so i guess this is because the certificate is not globally recognize by the browser.当我访问服务 https://<Public_IP> 时,我可以看到“Kubernetes Ingress Controller Fake Certificate”,所以我猜这是因为该证书未被浏览器全局识别。
The strange thing is here.奇怪的事情就在这里。 Theoretically the Ingress deployment is using the "selfsigned-certificate2" but looks like it is not ready:理论上,Ingress 部署使用的是“selfsigned-certificate2”,但看起来还没有准备好:
kubectl get certificate
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 4h29m
selfsigned-certificate2 False hello-deployment-tls-ca-key-pair2 3h3m
selfsigned-secret True selfsigned-secret 5h25m
kubectl describe certificate selfsigned-certificate2
.
.
.
Spec:
Dns Names:
*.default.svc.cluster.local
*.default.com
Issuer Ref:
Kind: ClusterIssuer
Name: hello-deployment-tls
Secret Name: hello-deployment-tls-ca-key-pair2
Status:
Conditions:
Last Transition Time: 2021-10-15T11:16:15Z
Message: Waiting for CertificateRequest "selfsigned-certificate2-3983093525" to complete
Reason: InProgress
Status: False
Type: Ready
Events: <none>
Any idea?任何的想法?
Thank you in advance.先感谢您。
1 个解决方案
解决方案1
1 2021-10-18 14:13:19
ApiVersions Api版本
First I noticed you're using v1alpha2 apiVersion which is depricated and will be removed in 1.6 cert-manager:首先,我注意到您使用的是已v1alpha2 apiVersion,并将在1.6 cert-manager 中删除:
$ kubectl apply -f cluster-alpha.yaml
Warning: cert-manager.io/v1alpha2 ClusterIssuer is deprecated in v1.4+, unavailable in v1.6+; use cert-manager.io/v1 ClusterIssuer
I used apiVersion: cert-manager.io/v1 in reproduction.我在复制中使用了apiVersion: cert-manager.io/v1 。
Same for v1beta1 ingress, consider updating it to networking.k8s.io/v1 . v1beta1入口也是如此,考虑将其更新为networking.k8s.io/v1 。
What happens发生什么了
I started reproducing your setup step by step.我开始逐步重现您的设置。
I applied clusterissuer.yaml :我申请了clusterissuer.yaml :
$ kubectl apply -f clusterissuer.yaml
clusterissuer.cert-manager.io/selfsigned created
$ kubectl get clusterissuer
NAME READY AGE
selfsigned True 11s
Pay attention that READY is set to True .请注意READY设置为True 。
Next I applied certificate.yaml :接下来我申请了certificate.yaml :
$ kubectl apply -f cert.yaml
certificate.cert-manager.io/selfsigned-certificate created
$ kubectl get cert
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 7s
Next step is to add the second ClusterIssuer which is referenced to hello-deployment-tls-ca-key-pair secret:下一步是添加引用hello-deployment-tls-ca-key-pair秘密的第二个ClusterIssuer :
$ kubectl apply -f clusterissuer2.yaml
clusterissuer.cert-manager.io/hello-deployment-tls created
$ kubectl get clusterissuer
NAME READY AGE
hello-deployment-tls False 6s
selfsigned True 3m50
ClusterIssuer hello-deployment-tls is not ready. ClusterIssuer hello-deployment-tls未准备好。 Here's why:原因如下:
$ kubectl describe clusterissuer hello-deployment-tls
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrGetKeyPair 10s (x5 over 75s) cert-manager Error getting keypair for CA issuer: secret "hello-deployment-tls-ca-key-pair" not found
Warning ErrInitIssuer 10s (x5 over 75s) cert-manager Error initializing issuer: secret "hello-deployment-tls-ca-key-pair" not found
This is expected behaviour since:这是预期的行为,因为:
When referencing a Secret resource in ClusterIssuer resources (eg apiKeySecretRef) the Secret needs to be in the same namespace as the cert-manager controller pod.
Answer - how to move forward答案 - 如何前进
I edited the cert-manager deployment so it will look for secrets in default namespace (this is not ideal, I'd use issuer instead in default namespace):我编辑了cert-manager部署,因此它将在default命名空间中查找secrets (这并不理想,我会在default命名空间中使用issuer ):
$ kubectl edit deploy cert-manager -n cert-manager
spec:
containers:
- args:
- --v=2
- --cluster-resource-namespace=default
It takes about a minute for cert-manager to start. cert-manager启动大约需要一分钟。 Redeployed clusterissuer2.yaml :重新部署的clusterissuer2.yaml :
$ kubectl delete -f clusterissuer2.yaml
clusterissuer.cert-manager.io "hello-deployment-tls" deleted
$ kubectl apply -f clusterissuer2.yaml
clusterissuer.cert-manager.io/hello-deployment-tls created
$ kubectl get clusterissuer
NAME READY AGE
hello-deployment-tls True 3s
selfsigned True 5m42s
Both are READY .两者都READY 。 Moving forward with certificate2.yaml :继续使用certificate2.yaml :
$ kubectl apply -f cert2.yaml
certificate.cert-manager.io/selfsigned-certificate2 created
$ kubectl get cert
NAME READY SECRET AGE
selfsigned-certificate True hello-deployment-tls-ca-key-pair 33s
selfsigned-certificate2 True hello-deployment-tls-ca-key-pair2 6s
$ kubectl get certificaterequest
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
selfsigned-certificate-jj98f True True selfsigned system:serviceaccount:cert-manager:cert-manager 52s
selfsigned-certificate2-jwq5c True True hello-deployment-tls system:serviceaccount:cert-manager:cert-manager 25s
Ingress入口
When host is not added to ingress , it doesn't create any certificates and seems to used some fake one from ingress which is issued by CN = Kubernetes Ingress Controller Fake Certificate .当host未添加到ingress ,它不会创建任何证书,并且似乎使用了一些来自ingress CN = Kubernetes Ingress Controller Fake Certificate由CN = Kubernetes Ingress Controller Fake Certificate 。
Events from ingress :来自ingress事件:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning BadConfig 5s cert-manager TLS entry 0 is invalid: secret "example-cert" for ingress TLS has no hosts specified
When I added DNS to ingress :当我将 DNS 添加到ingress :
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 4s cert-manager Successfully created Certificate "example-cert"
Answer, part 2 (about ingress, certificates and issuer)答案,第 2 部分(关于入口、证书和颁发者)
You don't need to create a certificate if you're referencing to issuer in ingress rule.你并不需要,如果你引用来创建证书issuer在ingress规则。 Ingress will issue certificate for you when all details are presented, such as: Ingress 会在提供所有详细信息后为您颁发证书,例如:
- annotation
cert-manager.io/cluster-issuer: "hello-deployment-tls"注释cert-manager.io/cluster-issuer: "hello-deployment-tls" -
spec.tlspart with host withinspec.tls部分与主机内 spec.rules.host
OR或者
if you want to create certificate manually and ask ingress to use it, then:如果您想手动创建证书并要求 ingress 使用它,则:
- remove annotation
cert-manager.io/cluster-issuer: "hello-deployment-tls"删除注释cert-manager.io/cluster-issuer: "hello-deployment-tls" - create certificate manually手动创建证书
- refer to it in
ingress rule.在ingress rule引用它。
You can check certificate details in browser and find that it no longer has issuer as CN = Kubernetes Ingress Controller Fake Certificate , in my case it's empty.您可以在浏览器中检查证书详细信息,发现它不再具有颁发者CN = Kubernetes Ingress Controller Fake Certificate ,在我的情况下它是空的。
Note - cert-manager v1.4注意 - cert-manager v1.4
Initially I used a bit outdated cert-manager v1.4 and got this issue which has gone after updating to 1.4.1 .最初我使用了一个有点过时的cert-manager v1.4并且在更新到1.4.1后遇到了这个问题。
It looks like:看起来像:
$ kubectl describe certificaterequest selfsigned-certificate2-45k2c
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 41s cert-manager Certificate request has been approved by cert-manager.io
Warning DecodeError 41s cert-manager Failed to decode returned certificate: error decoding certificate PEM block
Useful links:有用的链接:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.