堆栈内存溢出
  简体   繁体   English

AKS 中的 Cert-manager ClusterIssuer 问题

[英]Issue with Cert-manager ClusterIssuer in AKS

 原文  2022-02-25 13:01:30       azure/ kubernetes/ kubernetes-helm/ azure-aks/ cert-manager

问题描述

I am getting this error in clusterissuer (cert-manager version 1.7.1):我在 clusterissuer(证书管理器版本 1.7.1)中收到此错误:

"Error getting keypair for CA issuer: error decoding certificate PEM block" “获取 CA 颁发者的密钥对时出错:解码证书 PEM 块时出错”

I have the ca.crt, tls.crt and tls.key stored in a Key Vault in Azure.我将 ca.crt、tls.crt 和 tls.key 存储在 Azure 的 Key Vault 中。

kubectl describe clusterissuer ca-issuer kubectl 描述 clusterissuer ca-issuer

  Ca:
    Secret Name:  cert-manager-secret
Status:
  Conditions:
    Last Transition Time:  2022-02-25T11:40:49Z
    Message:               Error getting keypair for CA issuer: error decoding certificate PEM block
    Observed Generation:   1
    Reason:                ErrGetKeyPair
    Status:                False
    Type:                  Ready
Events:
  Type     Reason         Age                  From          Message
  ----     ------         ----                 ----          -------
  Warning  ErrGetKeyPair  3m1s (x17 over 58m)  cert-manager  Error getting keypair for CA issuer: error decoding certificate PEM block
  Warning  ErrInitIssuer  3m1s (x17 over 58m)  cert-manager  Error initializing issuer: error decoding certificate PEM block

kubectl get clusterissuer kubectl 获取集群发行者

NAME        READY   AGE
ca-issuer   False   69m
  • This is the clusterissuer yaml file:这是 clusterissuer yaml 文件:

ca-issuer.yaml ca-issuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: cert-manager-secret

This is the KeyVault yaml file to retrieve the ca.crt, tls.crt and tls.key这是用于检索 ca.crt、tls.crt 和 tls.key 的 KeyVault yaml 文件

keyvauls.yaml keyvauls.yaml

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-akscacrt
  namespace: cert-manager
spec:
  vault:
    name: kv-xx # name of key vault
    object:
      name: akscacrt # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: cert-manager-secret # kubernetes secret name
      dataKey: ca.crt # key to store object value in kubernetes secret
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-akstlscrt
  namespace: cert-manager
spec:
  vault:
    name: kv-xx # name of key vault
    object:
      name: akstlscrt # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: cert-manager-secret # kubernetes secret name
      dataKey: tls.crt # key to store object value in kubernetes secret
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-akstlskey
  namespace: cert-manager
spec:
  vault:
    name: kv-xx # name of key vault
    object:
      name: akstlskey # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: cert-manager-secret # kubernetes secret name
      dataKey: tls.key # key to store object value in kubernetes secret
---

and these are the certificates used:这些是使用的证书:

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: argocd-xx
  namespace: argocd
spec:
  secretName: argocd-xx
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
  commonName: "argocd.xx"
  dnsNames:
    - "argocd.xx"
  privateKey:
    size: 4096
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sonarqube-xx
  namespace: sonarqube
spec:
  secretName: "sonarqube-xx"
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
  commonName: "sonarqube.xx"
  dnsNames:
    - "sonarqube.xx"
  privateKey:
    size: 4096

I can see that I can retrive the secrets for the certificate from key vault:我可以看到我可以从密钥库中检索证书的秘密:

kubectl get secret -n cert-manager cert-manager-secret -o yaml kubectl get secret -n cert-manager cert-manager-secret -o yaml

apiVersion: v1
data:
  ca.crt: XXX
  tls.crt: XXX
  tls.key: XXX

Also, another strange thing is that I am getting other secrets in sonarqube/argocd namespace which I deployed previously but are not any more in my deployment file.另外,另一件奇怪的事情是我在之前部署的 sonarqube/argocd 命名空间中获得了其他秘密,但我的部署文件中不再有这些秘密。 I cannot delete them, when I try to delete them, they are re-created automatically.我无法删除它们,当我尝试删除它们时,它们会自动重新创建。 Looks like they are stored in some kind of cache.看起来它们存储在某种缓存中。 Also I tried to delete the namespace akv2k8s/cert-manager and delete the cert-manager/akv2k8s controllers and re-install them again but same issue after re-installing and applying the deployment...我还尝试删除命名空间 akv2k8s/cert-manager 并删除 cert-manager/akv2k8s 控制器并重新安装它们,但在重新安装和应用部署后出现同样的问题......

kubectl get secret -n sonarqube

NAME                                      TYPE                                  DATA   AGE
cert-manager-secret                       Opaque                                3      155m
default-token-c8b86                       kubernetes.io/service-account-token   3      2d1h
sonarqube-xx-7v7dh   Opaque                                1      107m
sql-db-secret                             Opaque                                2      170m

kubectl get secret -n argocd   
NAME                                   TYPE                                  DATA   AGE
argocd-xx-7b5kb   Opaque                                1      107m
cert-manager-secret-argo               Opaque                                3      157m
default-token-pjb4z                    kubernetes.io/service-account-token   3      3d15h

kubectl describe certificate sonarqube-xxx -n sonarqube kubectl 描述证书 sonarqube-xxx -n sonarqube

Status:
  Conditions:
    Last Transition Time:        2022-02-25T11:04:08Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2022-02-25T11:04:08Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  sonarqube-xxx-7v7dh
Events:                          <none>

Any idea?任何的想法?

Thanks.谢谢。

1 个解决方案

解决方案1
 2 已采纳  2022-03-01 12:47:23

I figured it out just uploading the certificate info ca.crt .我想通了只是上传证书信息ca.crt tls.crt and tls.key in plain text, without BASE64 encoding in the Key Vault secrets in Azure.纯文本的tls.crttls.key ,在 Azure 的 Key Vault 机密中没有 BASE64 编码。

When AKV2K8S retrives the secrets from the Key Vault and stored in Kube.netes, automatically it is encoded in BASE64.当 AKV2K8S 从 Key Vault 中检索机密并存储在 Kube.netes 中时,它会自动编码为 BASE64。

Regards,问候,

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 证书管理器在升级到 AKS 1.20.7 后停止更新 Let'S Encrypt 证书 - Cert-manager stopped renewing Let'S Encrypt certificates after upgrading to AKS 1.20.7 如何为证书管理器设置标志 - How to set a flag for cert-manager EKS Anywhere 集群证书管理器 io 超时 - EKS Anywhere Cluster cert-manager io-timeout cert-manager:没有配置的挑战解决者可以用于这个挑战 - cert-manager: no configured challenge solvers can be used for this challenge 尝试使用 Azure DNS 和证书管理器颁发 DNS 证书时出现授权错误 - Authorization error while trying to issue DNS certificate with Azure DNS and cert manager AKS 入口路由重新加载问题 - AKS ingress route reloading issue 证书管理器颁发的证书读作“颁发者:cert-manager.local”而不是 Let's Encrypt 并且不起作用 - Certificate issued by cert manager reads as "issued by: cert-manager.local" instead of Let's Encrypt and does not work 证书不是由 clusterIssuer EKS 颁发的 - Certificate not issued by clusterIssuer EKS AWS Cert Manager 错误“由于 CAA 错误导致验证失败” - AWS Cert Manager errors "failed validation due to CAA error" 面临 Azure cosmos 多区域 AKS 更改提要处理器的问题 - Facing issue with Azure cosmos change feed processor for Multi region AKS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM