Certificate 两个Nginx入口控制器Azure K8s群集的两个TLS证书
我有两个入口控制器,一个在Certificate 两个Nginx入口控制器Azure K8s群集的两个TLS证书,certificate,ssl-certificate,kubernetes-ingress,nginx-ingress,kubernetes-secrets,Certificate,Ssl Certificate,Kubernetes Ingress,Nginx Ingress,Kubernetes Secrets,我有两个入口控制器,一个在default名称空间中具有默认类nginx,而第二个入口控制器具有nginx类:nginx设备 Cert manager已使用Helm安装 我使用clustersuiser和用于路由ingres的入口资源规则,设法从let Encrypt获得了第一个控制器的TLS证书 apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: # name: letsencrypt-staging n
default
名称空间中具有默认类nginx
,而第二个入口控制器具有nginx类:nginx设备
Cert manager已使用Helm安装
我使用clustersuiser
和用于路由ingres
的入口资源规则,设法从let Encrypt获得了第一个控制器的TLS证书
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod
spec:
acme:
email: xx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
入口路由:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: serviceA-ingress-rules
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- FirstService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: FirstService.cloudapp.azure.com
http:
paths:
- path: /serviceA
backend:
serviceName: serviceA
servicePort: 80
但是,对于为第二个入口控制器创建第二个TLS证书,不会创建TLS机密
聚类器
# k8s/cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
namespace: ingress-nginx-devices # namespace where the second ingress controller is installed
spec:
acme:
email: xxx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
solvers:
- http01:
ingress:
class: nginx-devices # ingress class of the second ingress controller
入口路由
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: devices-ingress-rules
namespace: default # since all the services are in default namespace
annotations:
kubernetes.io/ingress.class: nginx-devices # ingress class of the second ingress controller
cert-manager.io/cluster-issuer: "letsencrypt-prod-devices"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- secondService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: secondService.cloudapp.azure.com
http:
paths:
- path: /serviceB
backend:
serviceName: serviceB
servicePort: 80
通过查看机密,我只能看到:kubectl获取机密-n入口nginx设备
NAME TYPE DATA AGE
default-token-xzp95 kubernetes.io/service-account-token 3 92m
nginx-ingress-devices-backend-token-pd4vf kubernetes.io/service-account-token 3 64m
nginx-ingress-devices-token-qvvps kubernetes.io/service-account-token 3 64m
sh.helm.release.v1.nginx-ingress-devices.v1 helm.sh/release.v1 1 64m
在默认命名空间中时:
tls-secret kubernetes.io/tls 2 134m
为什么没有生成第二个tls机密?这里会出什么问题
非常感谢您的帮助:)您的第二个群集颁发者命名空间是:ingress nginx devices理想情况下,它应该位于默认命名空间中,因为您的ingress位于默认命名空间中 将这三个名称空间保持在同一名称空间中:
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
您的秘密名称是:letsencrypt prod设备
但在入口中它是:tls秘密
保持原样,否则不行
这里分享一个完整的clustrisuer和ingres保持在同一名称空间中的示例。您可以根据需要更改机密名称、群集服务器名称。Clusterissuer将自动创建机密,只需在入口(匹配)中提供机密和Clusterissuer的验证程序名称
检查服务器地址为server:的第二个群集颁发者,如果不同,则检查第一个群集颁发者。登台证书大部分未经验证,因此您可能会收到SSL/TLS证书错误。Im未使用任何登台证书,并且两个群集颁发者的所有服务器地址都相同;)很抱歉阅读了注释代码。我复制了相同的步骤,从浏览器中,第二个入口的证书由“Kubernetes入口控制器假证书”生成,而第一个入口控制器的证书仍然有效,来自LetsEncrypt,这里可能有什么问题?只有在使用
https://acme-staging-v02.api.letsencrypt.org/directory
或静止证书正在进行中,并在机密中更新。您可以删除机密、clsuterissuer、ingress并尝试在任何地方应用againIm而不使用staging
,您在哪里看到了这一点?如果您在任何地方使用错误,或者由于群集颁发者和ingress的配置不正确而未生成证书。不,我在任何地方都不使用它,我使用的是我在此处共享的相同文件,让我删除secrets、clusterissuer和ingress,看看输出结果是什么@Thank:)
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name