![](/img/trans.png)
[英]Two TLS certificate for two Nginx Ingress controller Azure K8s cluster
[英]Unable to self sign certificate nginx ingress k3s
我是 K3s 的新手,並且在這一步上掙扎了幾天。
環境: Ubuntu 20.04 | 沒有 Traefik 的 K3s 安裝。
K3s安裝腳本:
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -
Nginx入口安裝腳本
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress
證書管理器安裝腳本
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.3.1 \
--set installCRDs=true
創建一個測試命名空間來玩kubectl create ns practice-cls
測試服務部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuard
namespace: practice-cls
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kuard
namespace: practice-cls
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app: kuard
發行人
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
namespace: cert-manager
spec:
selfSigned: {}
服務入口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: practice-cls
annotations:
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80
ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls
Name: kuard
Labels: <none>
Namespace: practice-cls
Address: 10.227.224.141
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
quickstart-example-tls terminates example.example.com
Rules:
Host Path Backends
---- ---- --------
example.example.com
/ kuard:80 (10.42.0.76:8080)
Annotations: cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning AddedOrUpdatedWithWarning 6m9s nginx-ingress-controller Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type
我不知道這是否有什么問題, kuard圖像只是來自cert-manager
的教程服務。 我從上面的清單中得到了ERR_SSL_UNRECOGNIZED_NAME_ALERT
。
讓我知道是否有更多信息可以解決此問題。
感謝你們
經過一段時間的搜索和實驗,我設法通過以下方式處理這個問題:
使用K8s nginx ingress而不是nginx自己提供的官方入口
通過編輯 nginx 控制器的部署或在安裝時啟用該權限來啟用 SSL 直通
nginx 入口控制器(由Nginx公司生產)具有不支持 TLS 秘密的默認不透明秘密類型的挑剔代碼。 檢查您的“quickstart-example-tls”Secret 的類型是否設置為: kubernetes.io/tls或其列表中支持的類型之一。
// IsSupportedSecretType checks if the secret type is supported.
func IsSupportedSecretType(secretType api_v1.SecretType) bool {
return secretType == api_v1.SecretTypeTLS ||
secretType == SecretTypeCA ||
secretType == SecretTypeJWK ||
secretType == SecretTypeOIDC
}
社區支持的Kubernetes Nginx Ingress Controller沒有這個限制,支持Opaque secret 類型就好了。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.