Fatal编程技术网
  • certificate/
  • Certificate 两个Nginx入口控制器Azure K8s群集的两个TLS证书

Certificate 两个Nginx入口控制器Azure K8s群集的两个TLS证书

certificate

Certificate 两个Nginx入口控制器Azure K8s群集的两个TLS证书,certificate,ssl-certificate,kubernetes-ingress,nginx-ingress,kubernetes-secrets,Certificate,Ssl Certificate,Kubernetes Ingress,Nginx Ingress,Kubernetes Secrets,我有两个入口控制器,一个在default名称空间中具有默认类nginx,而第二个入口控制器具有nginx类:nginx设备 Cert manager已使用Helm安装 我使用clustersuiser和用于路由ingres的入口资源规则,设法从let Encrypt获得了第一个控制器的TLS证书 apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: # name: letsencrypt-staging n

我有两个入口控制器,一个在
default
名称空间中具有默认类
nginx
,而第二个入口控制器具有
nginx类:nginx设备

Cert manager已使用Helm安装

我使用
clustersuiser
和用于路由
ingres
的入口资源规则,设法从let Encrypt获得了第一个控制器的TLS证书


apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  # name: letsencrypt-staging
  name: letsencrypt-prod
spec:
  acme:
    email: xx
    # server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # name: letsencrypt-staging
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
入口路由:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: serviceA-ingress-rules
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - FirstService.cloudapp.azure.com
    secretName: tls-secret
  rules:
  - host: FirstService.cloudapp.azure.com
    http:
      paths:
      - path: /serviceA
        backend:
          serviceName: serviceA
          servicePort: 80
但是,对于为第二个入口控制器创建第二个TLS证书,不会创建TLS机密

聚类器

# k8s/cluster-issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  # name: letsencrypt-staging
  name: letsencrypt-prod-devices
  namespace: ingress-nginx-devices # namespace where the second ingress controller is installed
spec:
  acme:
    email: xxx
    # server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # name: letsencrypt-staging
      name: letsencrypt-prod-devices
    solvers:
    - http01:
        ingress:
          class: nginx-devices # ingress class of the second ingress controller
入口路由

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: devices-ingress-rules
  namespace: default # since all the services are in default namespace
  annotations:
    kubernetes.io/ingress.class: nginx-devices # ingress class of the second ingress controller
    cert-manager.io/cluster-issuer: "letsencrypt-prod-devices" 
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - secondService.cloudapp.azure.com
    secretName: tls-secret
  rules:
  - host: secondService.cloudapp.azure.com
    http:
      paths:
      - path: /serviceB
        backend:
          serviceName: serviceB
          servicePort: 80
通过查看机密,我只能看到:
kubectl获取机密-n入口nginx设备

NAME                                          TYPE                                  DATA   AGE
default-token-xzp95                           kubernetes.io/service-account-token   3      92m
nginx-ingress-devices-backend-token-pd4vf     kubernetes.io/service-account-token   3      64m
nginx-ingress-devices-token-qvvps             kubernetes.io/service-account-token   3      64m
sh.helm.release.v1.nginx-ingress-devices.v1   helm.sh/release.v1                    1      64m
在默认命名空间中时:

tls-secret                                          kubernetes.io/tls                     2      134m
为什么没有生成第二个tls机密?这里会出什么问题

非常感谢您的帮助:)

您的第二个群集颁发者命名空间是:ingress nginx devices理想情况下,它应该位于默认命名空间中,因为您的ingress位于默认命名空间中

将这三个名称空间保持在同一名称空间中:

  • 入口
  • 聚类器
  • 服务
    • 如果一切正常,您将在default名称空间中看到秘密

    也在你的俱乐部里

    privateKeySecretRef:
      # name: letsencrypt-staging
      name: letsencrypt-prod-devices
    您的秘密名称是:letsencrypt prod设备

    但在入口中它是:tls秘密

    保持原样,否则不行

    这里分享一个完整的clustrisueringres保持在同一名称空间中的示例。您可以根据需要更改机密名称、群集服务器名称。Clusterissuer将自动创建机密,只需在入口(匹配)中提供机密和Clusterissuer的验证程序名称

    检查服务器地址为server:的第二个群集颁发者,如果不同,则检查第一个群集颁发者。登台证书大部分未经验证,因此您可能会收到SSL/TLS证书错误。Im未使用任何登台证书,并且两个群集颁发者的所有服务器地址都相同;)很抱歉阅读了注释代码。我复制了相同的步骤,从浏览器中,第二个入口的证书由“Kubernetes入口控制器假证书”生成,而第一个入口控制器的证书仍然有效,来自LetsEncrypt,这里可能有什么问题?只有在使用
    https://acme-staging-v02.api.letsencrypt.org/directory
    或静止证书正在进行中,并在机密中更新。您可以删除机密、clsuterissuer、ingress并尝试在任何地方应用againIm而不使用
    staging
    ,您在哪里看到了这一点?如果您在任何地方使用错误,或者由于群集颁发者和ingress的配置不正确而未生成证书。不,我在任何地方都不使用它,我使用的是我在此处共享的相同文件,让我删除secrets、clusterissuer和ingress,看看输出结果是什么@Thank:) 
    apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name