[英]flux with linkerd and cert manager has issuer error
我正在為 tls 輪換安裝帶有通量和證書管理器的 linkerd helm verison
證書管理器擁有默認配置,因此沒有太多可談的
使用此配置的通量和鏈接器:
發布.yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: linkerd
namespace: linkerd
spec:
interval: 5m
values:
identity.issuer.scheme: kubernetes.io/tls
installNamespace: false
valuesFrom:
- kind: Secret
name: linkerd-trust-anchor
valuesKey: tls.crt
targetPath: identityTrustAnchorsPEM
chart:
spec:
chart: linkerd2
version: "2.11.2"
sourceRef:
kind: HelmRepository
name: linkerd
namespace: linkerd
interval: 1m
源代碼.yaml
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: linkerd
namespace: linkerd
spec:
interval: 5m0s
url: https://helm.linkerd.io/stable
鏈接器信任錨.yaml
apiVersion: v1
data:
tls.crt: base64encoded
tls.key: base64encoded
kind: Secret
metadata:
name: linkerd-trust-anchor
namespace: linkerd
type: kubernetes.io/tls
它是由以下內容創建的:
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure
發行者.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-trust-anchor
namespace: linkerd
spec:
ca:
secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 48h
renewBefore: 25h
issuerRef:
name: linkerd-trust-anchor
kind: Issuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
usages:
- cert sign
- crl sign
- server auth
- client auth
現在到了協調的時候,我在 helmrelease 中遇到了這個錯誤
Helm install failed: execution error at (linkerd2/templates/identity.yaml:19:21): Please provide the identity issuer certificate
但是手動操作確實可以完美地工作
helm install linkerd2 \
--set-file identityTrustAnchorsPEM=ca.crt \
--set identity.issuer.scheme=kubernetes.io/tls \
--set installNamespace=false linkerd/linkerd2 \
-n linkerd
如果我有相同的設置但沒有手動聲明證書管理器和證書(使用不同的秘密名稱,因為 linkerd 將自行創建它),它也可以工作,如下所示:
valuesFrom:
- kind: Secret
name: linkerd-trust-anchor
valuesKey: tls.crt
targetPath: identityTrustAnchorsPEM
- kind: Secret
name: linkerd-identity-issuer-2
valuesKey: tls.crt
targetPath: identity.issuer.tls.crtPEM
- kind: Secret
name: linkerd-identity-issuer-2
valuesKey: tls.key
targetPath: identity.issuer.tls.keyPEM
我錯過了什么嗎?
問題出在這里:
values:
identity.issuer.scheme: kubernetes.io/tls
它應該是:
values:
identity:
issuer:
scheme: kubernetes.io/tls
否則,helm 不會識別它,linkerd 會認為 schema 是 linkerd.io/tls,這與 kubernetes secret tls 的 schema 結構不匹配。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.