Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/arduino/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Kubernetes-证书管理器-Hashicorp Vault-证书的就绪状态为空_Kubernetes_Hashicorp Vault_Cert Manager - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • Kubernetes-证书管理器-Hashicorp Vault-证书的就绪状态为空

Kubernetes-证书管理器-Hashicorp Vault-证书的就绪状态为空

kubernetes

Kubernetes-证书管理器-Hashicorp Vault-证书的就绪状态为空,kubernetes,hashicorp-vault,cert-manager,Kubernetes,Hashicorp Vault,Cert Manager,我创建了使用Vault的Clusterissuer,然后通过它颁发了证书,但证书的就绪状态为空。事件和证书管理器pod日志中没有显示任何内容。它也没有创造出一个秘密 kubectl get cert NAMESPACE NAME READY SECRET AGE default

我创建了使用Vault的Clusterissuer,然后通过它颁发了证书,但证书的就绪状态为空。事件和证书管理器pod日志中没有显示任何内容。它也没有创造出一个秘密

kubectl get cert
NAMESPACE             NAME                 READY                          SECRET                                             AGE
default               example-com                                         example-com                                      139m
亚马尔

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: vault-clusterissuer
spec:
  vault:
    path: pki_int/sign/<role name>
    server: https://vault-cluster.example.com:8200
    caBundle: <base64 encoded cabundle pem>
    auth:
      appRole:
        path: approle
        roleId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
        secretRef:
          name: cert-manager-vault-approle
          key: secretId
因为它没有生成任何消息或日志,所以我不确定从哪里开始故障排除

clusterissuer.yaml中路径的值对您来说合适吗

提前感谢

证书条件就绪表示证书已准备就绪可供使用

其定义如下:

  • 目标机密存在

  • 目标机密包含尚未过期的证书

  • 目标机密包含对证书有效的私钥

  • commonName
    dnsNames
    属性与证书上指定的属性匹配

我认为问题出在
certificate.yaml
文件中定义的
dnsNames
中是错误的:

您的证书配置文件:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com 
  issuerRef:
    name: vault-clusterissuer
    kind: ClusterIssuer
  commonName: abc.example.com
  dnsNames:
  - abc.example.com

dnsNames
字段应具有以下值:
www.abc.example.com
not
abc.example.com

最终版本应如下所示:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com 
  issuerRef:
    name: vault-clusterissuer
    kind: ClusterIssuer
  commonName: abc.example.com
  dnsNames:
  - www.abc.example.com
还要记住,
path
字段是PKI后端的Vault角色路径,服务器是Vault服务器的基本URL。
路径必须使用vault
标志
端点


请查看:,。
您的secret cert manager vault是否与ClusterIssuer位于同一命名空间(默认)中?还可以提供命令的输出:kubectl get clustrisuers-n default?是的,secret
cert manager vault approle
和clustrisuer都在同一命名空间中。
kubectl get secret,clusterissuer-n默认| grep vault secret/cert manager vault approle不透明1 8m9s clusterissuer.certmanager.k8s.io/vault-clusterissuer 7m6s
问题出在cert manager本身。从零开始重新部署cert maanager后,问题得到了解决。

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com 
  issuerRef:
    name: vault-clusterissuer
    kind: ClusterIssuer
  commonName: abc.example.com
  dnsNames:
  - www.abc.example.com