[英]SSL Certificates on Kubernetes Using ACME
我一直在關注本教程: https://cert-manager.io/docs/ ,在我安裝了我的證書管理器並確保它們使用 kubectl get pods --namespace cert-manager 運行之后,
cert-manager-5597cff495-l5hjs 1/1 Running 0 91m
cert-manager-cainjector-bd5f9c764-xrb2t 1/1 Running 0 91m
cert-manager-webhook-5f57f59fbc-q5rqs 1/1 Running 0 91m
然后,我按照本教程https://cert-manager.io/docs/configuration/acme/使用 ACME 頒發者配置了我的證書管理器。
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: aidenhsy@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
這是我的完整入口配置文件:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-srv
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
rules:
- host: www.hyhaus.xyz
http:
paths:
- path: /api/?(.*)
backend:
serviceName: devback-srv
servicePort: 4000
- path: /?(.*)
backend:
serviceName: devfront-srv
servicePort: 3000
---
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
service.beta.kubernetes.io/do-loadbalancer-hostname: 'www.hyhaus.xyz'
labels:
helm.sh/chart: ingress-nginx-2.0.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: aidenhsy@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
但是,當我瀏覽我的站點時,瀏覽器會發出警告:您的計算機操作系統不信任安全證書。 當我查看我的證書時,它顯示為自分配,這並不是我真正想要的。 我在這里做錯了嗎?
這是由nginx ingress controller
提供的證書占位符。 當您看到它時,這意味着端點沒有其他(專用)證書。
現在發生這種情況的第一個原因是您的Ingress
沒有必要的數據。 用這個更新它:
metadata:
annotations:
# which issuer to use
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls: # placing a host in TLS config indicates that a certificate should be created
- hosts:
- example.org
- www.example.org
- xyz.example.org
secretName: myingress-cert # cert-manager will store the created certificate in this secret
入口對象的文檔在這里。
如果上述方法沒有幫助,請嘗試文檔提供的故障排除步驟。 根據我的經驗,在大多數情況下檢查CertificateRequest
和Certificate
資源足以確定問題。
$ kubectl get certificate
$ kubectl describe certificate <certificate-name>
$ kubectl get certificaterequest
$ kubectl describe certificaterequest <CertificateRequest name>
請記住,這些對象是命名空間的,這意味着它們將與ingress
object 位於同一命名空間中。
為了保護 Ingress,首先您必須將 ClusterIssuer 添加到您的 Ingress 資源中,然后 cert-manager 將選擇它並為您創建證書資源。 Kind: ingress metadata: annotations: cert-manager.io/cluster-issuer: nameOfClusterIssuer
。
其次,您必須添加tls
<= 這表示 Cert-manager 通過 ClusterIssuer 創建證書(密鑰/證書對)。
第三,您必須在此處添加secretName: myingress
<= 證書管理器將存儲 tls 機密(在創建密鑰/證書對並為您存儲它們之后)..
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.