[英]flux with linkerd and cert manager has issuer error
I am installing linkerd helm verison with flux and cert mananger for tls rotation我正在为 tls 轮换安装带有通量和证书管理器的 linkerd helm verison
cert manager holds default config so there isnt much to talk there证书管理器拥有默认配置,因此没有太多可谈的
flux and linkerd with this config:使用此配置的通量和链接器:
release.yaml发布.yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: linkerd
namespace: linkerd
spec:
interval: 5m
values:
identity.issuer.scheme: kubernetes.io/tls
installNamespace: false
valuesFrom:
- kind: Secret
name: linkerd-trust-anchor
valuesKey: tls.crt
targetPath: identityTrustAnchorsPEM
chart:
spec:
chart: linkerd2
version: "2.11.2"
sourceRef:
kind: HelmRepository
name: linkerd
namespace: linkerd
interval: 1m
source.yaml源代码.yaml
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: linkerd
namespace: linkerd
spec:
interval: 5m0s
url: https://helm.linkerd.io/stable
linkerd-trust-anchor.yaml链接器信任锚.yaml
apiVersion: v1
data:
tls.crt: base64encoded
tls.key: base64encoded
kind: Secret
metadata:
name: linkerd-trust-anchor
namespace: linkerd
type: kubernetes.io/tls
which was created with:它是由以下内容创建的:
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure
issuer.yaml发行者.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-trust-anchor
namespace: linkerd
spec:
ca:
secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 48h
renewBefore: 25h
issuerRef:
name: linkerd-trust-anchor
kind: Issuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
usages:
- cert sign
- crl sign
- server auth
- client auth
now when it comes the time to reconcile i get this error in the helmrelease现在到了协调的时候,我在 helmrelease 中遇到了这个错误
Helm install failed: execution error at (linkerd2/templates/identity.yaml:19:21): Please provide the identity issuer certificate
however doing it manually does work perfectly但是手动操作确实可以完美地工作
helm install linkerd2 \
--set-file identityTrustAnchorsPEM=ca.crt \
--set identity.issuer.scheme=kubernetes.io/tls \
--set installNamespace=false linkerd/linkerd2 \
-n linkerd
It Also work if I have the same setup but without cert manager and certificates declared manually (with a different secret name as linkerd will create it on its own)like this:如果我有相同的设置但没有手动声明证书管理器和证书(使用不同的秘密名称,因为 linkerd 将自行创建它),它也可以工作,如下所示:
valuesFrom:
- kind: Secret
name: linkerd-trust-anchor
valuesKey: tls.crt
targetPath: identityTrustAnchorsPEM
- kind: Secret
name: linkerd-identity-issuer-2
valuesKey: tls.crt
targetPath: identity.issuer.tls.crtPEM
- kind: Secret
name: linkerd-identity-issuer-2
valuesKey: tls.key
targetPath: identity.issuer.tls.keyPEM
Am I missing something?我错过了什么吗?
The problem lies here:问题出在这里:
values:
identity.issuer.scheme: kubernetes.io/tls
It should be:它应该是:
values:
identity:
issuer:
scheme: kubernetes.io/tls
Otherwise, helm wont recognize it and linkerd will think the schema is linkerd.io/tls, which doesn't match the schema structure of kubernetes secret tls.否则,helm 不会识别它,linkerd 会认为 schema 是 linkerd.io/tls,这与 kubernetes secret tls 的 schema 结构不匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.