stackoom
  简体   繁体   中英

kubernetes - Nginx, cert-manager, mounted secret file renewal issue

 原文  2021-05-06 06:33:12       nginx/ ssl/ kubernetes/ google-kubernetes-engine/ cert-manager

Question

The certificate file of cert-manager is mounted on the nginx volume and is being used.

eg

nginx deploy.yaml - 

  volumes:
    - name: secret-volume
      secret:
        secretName: my.test.app.com
    - name: configmap-volume
      configMap:
        name: nginxconfigmap
  containers:
    - name: nginxhttps
      image: bprashanth/nginxhttps:1.0
      ports:
        - containerPort: 443
        - containerPort: 80
      volumeMounts:
        - mountPath: /etc/nginx/ssl
          name: secret-volume
        - mountPath: /etc/nginx/conf.d
          name: configmap-volume

and my nginx.conf file in

    ssl_certificate /etc/nginx/ssl/tls.crt;
    ssl_certificate_key /etc/nginx/ssl/tls.key;

And it's working very well. In addition, the certificate is smoothly reissued by cert-manager.

However, because the reissued certificate file is not updated in the nginx container, it is said that the certificate has expired when accessed from a browser.

There is no problem if I force restart the pod, but I want to automate it.

I wonder if there is a way to automatically renew the certificate without restarting the pod forcibly.

1 answers

solution1
 2 ACCPTED  2021-05-06 06:45:11

Not sure that the certificate is for your specific application using Nginx or main Nginx ingress which is handing the whole traffic of your cluster.

if it is the main Nginx which is handling the whole traffic of your cluster you can create the ingress and add the cert-manager integration there.

Cert-manager will manage the certificate and save it inside the secret and ingress will use that secret run time. Whenever the certificate gets renew secret content will game update while ingress will be using the same secret name.

in the above scenario there no pod restart required.

if you want to read and check the whole example please refer: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

in the above example, Nginx will run without having any certificate in volume while it will use the certificate stored in secret.

For YAML example if issuer and ingress please check: https://stackoverflow.com/a/67184948/5525824

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use cert-manager with nginx ingress controller and avoid "host collusion" issue? How to fix cert-manager responses to Let's Encrypt ACME challenges when using client certificate authentication on Kubernetes with nginx ingress? Nginx-Ingress not picking up certificate from cert-manager 502 BAD Gateway | ingress nginx with cert-manager TTFB increated by 200+ ms after enabling SSL via Nginx Ingress controller & cert-manager Kubernetes/Ingress Nginx/Cert Manager certificates have namespaces? Make nginx configurable with kubernetes secret? Check the the value of an SSL cert loaded in NGINX on a Kubernetes cluster mTLS setup using self-signed cert in Kubernetes and NGINX Kubernetes NGINX Ingress TLS issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM