[英]Issue with Cert-manager ClusterIssuer in AKS
I am getting this error in clusterissuer (cert-manager version 1.7.1):我在 clusterissuer(证书管理器版本 1.7.1)中收到此错误:
"Error getting keypair for CA issuer: error decoding certificate PEM block" “获取 CA 颁发者的密钥对时出错:解码证书 PEM 块时出错”
I have the ca.crt, tls.crt and tls.key stored in a Key Vault in Azure.我将 ca.crt、tls.crt 和 tls.key 存储在 Azure 的 Key Vault 中。
kubectl describe clusterissuer ca-issuer kubectl 描述 clusterissuer ca-issuer
Ca:
Secret Name: cert-manager-secret
Status:
Conditions:
Last Transition Time: 2022-02-25T11:40:49Z
Message: Error getting keypair for CA issuer: error decoding certificate PEM block
Observed Generation: 1
Reason: ErrGetKeyPair
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrGetKeyPair 3m1s (x17 over 58m) cert-manager Error getting keypair for CA issuer: error decoding certificate PEM block
Warning ErrInitIssuer 3m1s (x17 over 58m) cert-manager Error initializing issuer: error decoding certificate PEM block
kubectl get clusterissuer kubectl 获取集群发行者
NAME READY AGE
ca-issuer False 69m
ca-issuer.yaml ca-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: cert-manager
spec:
ca:
secretName: cert-manager-secret
This is the KeyVault yaml file to retrieve the ca.crt, tls.crt and tls.key这是用于检索 ca.crt、tls.crt 和 tls.key 的 KeyVault yaml 文件
keyvauls.yaml keyvauls.yaml
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-akscacrt
namespace: cert-manager
spec:
vault:
name: kv-xx # name of key vault
object:
name: akscacrt # name of the akv object
type: secret # akv object type
output:
secret:
name: cert-manager-secret # kubernetes secret name
dataKey: ca.crt # key to store object value in kubernetes secret
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-akstlscrt
namespace: cert-manager
spec:
vault:
name: kv-xx # name of key vault
object:
name: akstlscrt # name of the akv object
type: secret # akv object type
output:
secret:
name: cert-manager-secret # kubernetes secret name
dataKey: tls.crt # key to store object value in kubernetes secret
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-akstlskey
namespace: cert-manager
spec:
vault:
name: kv-xx # name of key vault
object:
name: akstlskey # name of the akv object
type: secret # akv object type
output:
secret:
name: cert-manager-secret # kubernetes secret name
dataKey: tls.key # key to store object value in kubernetes secret
---
and these are the certificates used:这些是使用的证书:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-xx
namespace: argocd
spec:
secretName: argocd-xx
issuerRef:
name: ca-issuer
kind: ClusterIssuer
commonName: "argocd.xx"
dnsNames:
- "argocd.xx"
privateKey:
size: 4096
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: sonarqube-xx
namespace: sonarqube
spec:
secretName: "sonarqube-xx"
issuerRef:
name: ca-issuer
kind: ClusterIssuer
commonName: "sonarqube.xx"
dnsNames:
- "sonarqube.xx"
privateKey:
size: 4096
I can see that I can retrive the secrets for the certificate from key vault:我可以看到我可以从密钥库中检索证书的秘密:
kubectl get secret -n cert-manager cert-manager-secret -o yaml kubectl get secret -n cert-manager cert-manager-secret -o yaml
apiVersion: v1
data:
ca.crt: XXX
tls.crt: XXX
tls.key: XXX
Also, another strange thing is that I am getting other secrets in sonarqube/argocd namespace which I deployed previously but are not any more in my deployment file.另外,另一件奇怪的事情是我在之前部署的 sonarqube/argocd 命名空间中获得了其他秘密,但我的部署文件中不再有这些秘密。 I cannot delete them, when I try to delete them, they are re-created automatically.
我无法删除它们,当我尝试删除它们时,它们会自动重新创建。 Looks like they are stored in some kind of cache.
看起来它们存储在某种缓存中。 Also I tried to delete the namespace akv2k8s/cert-manager and delete the cert-manager/akv2k8s controllers and re-install them again but same issue after re-installing and applying the deployment...
我还尝试删除命名空间 akv2k8s/cert-manager 并删除 cert-manager/akv2k8s 控制器并重新安装它们,但在重新安装和应用部署后出现同样的问题......
kubectl get secret -n sonarqube
NAME TYPE DATA AGE
cert-manager-secret Opaque 3 155m
default-token-c8b86 kubernetes.io/service-account-token 3 2d1h
sonarqube-xx-7v7dh Opaque 1 107m
sql-db-secret Opaque 2 170m
kubectl get secret -n argocd
NAME TYPE DATA AGE
argocd-xx-7b5kb Opaque 1 107m
cert-manager-secret-argo Opaque 3 157m
default-token-pjb4z kubernetes.io/service-account-token 3 3d15h
kubectl describe certificate sonarqube-xxx -n sonarqube kubectl 描述证书 sonarqube-xxx -n sonarqube
Status:
Conditions:
Last Transition Time: 2022-02-25T11:04:08Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2022-02-25T11:04:08Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: sonarqube-xxx-7v7dh
Events: <none>
Any idea?任何的想法?
Thanks.谢谢。
I figured it out just uploading the certificate info ca.crt .我想通了只是上传证书信息ca.crt 。 tls.crt and tls.key in plain text, without BASE64 encoding in the Key Vault secrets in Azure.
纯文本的tls.crt和tls.key ,在 Azure 的 Key Vault 机密中没有 BASE64 编码。
When AKV2K8S retrives the secrets from the Key Vault and stored in Kube.netes, automatically it is encoded in BASE64.当 AKV2K8S 从 Key Vault 中检索机密并存储在 Kube.netes 中时,它会自动编码为 BASE64。
Regards,问候,
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.