![](/img/trans.png)
[英]How do I expose a UDP service externally on Google Kubernetes Engine (GKE) using the ingress-nginx controller?
[英]How do I present letsencrypt certificates to Kubernetes nginx (GKE)?
我正在学习 Google Cloud 平台,尝试实施我的第一个项目,但在教程中迷路了。 我一直在尝试实施 nginx 入口。 我的入口卡在 CrashLoopBackoff 中,日志显示以下错误。
我知道如何使用 DockerCompose 完成这项任务,但这里不知道。
我从哪说起呢?
1#1: cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
我还不确定这是否有用,但我已经设置了证书颁发机构服务 ( https://cloud.google.com/certificate-authority-service/docs/best-practices )。
我建议在入口处使用证书管理器,而不是使用它并遵循 GCP CA 设置的设置。
Cert-manager 将从let's-encrypt CA获取TLS证书,cert-manager 将在 k8s 中创建秘密并将经过验证的证书存储到秘密中。
您可以根据主机在入口处附加秘密并使用它。
YAML 示例:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
您可以阅读此博客以获取参考: https://medium.com/@harsh.manvar111/kube.netes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.