[英]Configure SSL certificates in kubernetes with cert-manager istio ingress and LetsEncrypt
我正在尝试使用cert-manager,istio ingress和LetsEncrypt在kubernetes中配置SSL证书。 我已经使用helm,cert-manager安装了istio,创建了ClusterIssuer,然后我正在尝试创建一个Certificate。 极致挑战无法验证,我正在尝试使用http01并且无法弄清楚如何使用istio ingress。 Istio部署有以下选项:
helm install --name istio install/kubernetes/helm/istio ` --namespace istio-system ` --set global.controlPlaneSecurityEnabled=true ` --set grafana.enabled=true` --set tracing.enabled=true --set kiali.enabled=true ` --set ingress.enabled=true
证书配置:
apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: example.com namespace: istio-system spec: secretName: example.com issuerRef: name: letsencrypt-staging kind: ClusterIssuer commonName: 'example.com' dnsNames: - example.com acme: config: - http01: ingress: istio-ingress domains: - example.com
当尝试这种方式时,由于某种原因,无法找到istio-ingress,但是当尝试指定ingressClass:some-name而不是ingress:istio-ingress时,我得到404因为example.com/.well-known/无法达到极限挑战/令牌。 怎么解决这个问题? 谢谢!
Istio ingress已被弃用,您可以将Ingress Gateway与DNS挑战一起使用。
定义通用公共入口网关:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: public-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
使用cert-manager支持的DNS提供程序之一创建颁发者。 以下是GCP CloudDNS的配置:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: istio-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: email@example.com
privateKeySecretRef:
name: letsencrypt-prod
dns01:
providers:
- name: cloud-dns
clouddns:
serviceAccountSecretRef:
name: cert-manager-credentials
key: gcp-dns-admin.json
project: my-gcp-project
使用以下命令创建通配符证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: istio-gateway
namespace: istio-system
spec:
secretname: istio-ingressgateway-certs
issuerRef:
name: letsencrypt-prod
commonName: "*.example.com"
acme:
config:
- dns01:
provider: cloud-dns
domains:
- "*.example.com"
- "example.com"
颁发证书需要几分钟时间才能颁发证书:
kubectl -n istio-system describe certificate istio-gateway
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CertIssued 1m52s cert-manager Certificate issued successfully
您可以在此处找到有关在GKE上设置Istio ingress的分步指南,请点击此处https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup
解决方案是将DNS移至azure并使用dns验证生成证书。 我还使用了istio-1.1.0-rc.3并按以下方式配置了网关:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - hosts: - 'mydomain.com' port: name: http-bookinfo number: 80 protocol: HTTP tls: httpsRedirect: true - hosts: - 'mydomain.com' port: name: https-bookinfo number: 443 protocol: HTTPS tls: mode: SIMPLE serverCertificate: "use sds" #random string, because serverCertificate and #privateKey are required for tls.mode=SIMPLE privateKey: "use sds" credentialName: "istio-bookinfo-certs-staging" #this must match the secret name #from the certificate
helm template install/kubernetes/helm/istio/ --name istio ` --namespace istio-system -x charts/gateways/templates/deployment.yaml ` --set gateways.istio-egressgateway.enabled=false ` --set gateways.istio-ingressgateway.sds.enabled=true > ` $HOME/istio-ingressgateway.yaml kubectl apply -f $HOME/istio-ingressgateway.yaml
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.