[英]flux with linkerd and cert manager has issuer error
我正在为 tls 轮换安装带有通量和证书管理器的 linkerd helm verison
证书管理器拥有默认配置,因此没有太多可谈的
使用此配置的通量和链接器:
发布.yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: linkerd
namespace: linkerd
spec:
interval: 5m
values:
identity.issuer.scheme: kubernetes.io/tls
installNamespace: false
valuesFrom:
- kind: Secret
name: linkerd-trust-anchor
valuesKey: tls.crt
targetPath: identityTrustAnchorsPEM
chart:
spec:
chart: linkerd2
version: "2.11.2"
sourceRef:
kind: HelmRepository
name: linkerd
namespace: linkerd
interval: 1m
源代码.yaml
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: linkerd
namespace: linkerd
spec:
interval: 5m0s
url: https://helm.linkerd.io/stable
链接器信任锚.yaml
apiVersion: v1
data:
tls.crt: base64encoded
tls.key: base64encoded
kind: Secret
metadata:
name: linkerd-trust-anchor
namespace: linkerd
type: kubernetes.io/tls
它是由以下内容创建的:
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure
发行者.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-trust-anchor
namespace: linkerd
spec:
ca:
secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 48h
renewBefore: 25h
issuerRef:
name: linkerd-trust-anchor
kind: Issuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
usages:
- cert sign
- crl sign
- server auth
- client auth
现在到了协调的时候,我在 helmrelease 中遇到了这个错误
Helm install failed: execution error at (linkerd2/templates/identity.yaml:19:21): Please provide the identity issuer certificate
但是手动操作确实可以完美地工作
helm install linkerd2 \
--set-file identityTrustAnchorsPEM=ca.crt \
--set identity.issuer.scheme=kubernetes.io/tls \
--set installNamespace=false linkerd/linkerd2 \
-n linkerd
如果我有相同的设置但没有手动声明证书管理器和证书(使用不同的秘密名称,因为 linkerd 将自行创建它),它也可以工作,如下所示:
valuesFrom:
- kind: Secret
name: linkerd-trust-anchor
valuesKey: tls.crt
targetPath: identityTrustAnchorsPEM
- kind: Secret
name: linkerd-identity-issuer-2
valuesKey: tls.crt
targetPath: identity.issuer.tls.crtPEM
- kind: Secret
name: linkerd-identity-issuer-2
valuesKey: tls.key
targetPath: identity.issuer.tls.keyPEM
我错过了什么吗?
问题出在这里:
values:
identity.issuer.scheme: kubernetes.io/tls
它应该是:
values:
identity:
issuer:
scheme: kubernetes.io/tls
否则,helm 不会识别它,linkerd 会认为 schema 是 linkerd.io/tls,这与 kubernetes secret tls 的 schema 结构不匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.