Kubernetes 来自证书管理器的证书请求卡在OpenShift CRC(代码就绪容器)中
在OpenShift CRC(代码就绪容器)环境中,我尝试使用cert manager并让我们加密以申请证书,但证书请求被卡住,并以“等待”状态结束 我的Kubernetes 来自证书管理器的证书请求卡在OpenShift CRC(代码就绪容器)中,kubernetes,certificate,openshift,cert-manager,Kubernetes,Certificate,Openshift,Cert Manager,在OpenShift CRC(代码就绪容器)环境中,我尝试使用cert manager并让我们加密以申请证书,但证书请求被卡住,并以“等待”状态结束 我的clustersuiser看起来像: apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: barry-letsencrypt spec: acme: email: me@abc.com http01: {} privat
clustersuiser
看起来像:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: barry-letsencrypt
spec:
acme:
email: me@abc.com
http01: {}
privateKeySecretRef:
name: barry-letsencrypt-private-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
selector: {}
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: cert-manager-test
spec:
secretName: example-com-tls
duration: 24h
renewBefore: 12h
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: barry-letsencrypt
kind: ClusterIssuer
#kind: Issuer
group: cert-manager.io
运行上述YAML文件后,clustRessuer
已成功创建
我的证书看起来像:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: barry-letsencrypt
spec:
acme:
email: me@abc.com
http01: {}
privateKeySecretRef:
name: barry-letsencrypt-private-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
selector: {}
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: cert-manager-test
spec:
secretName: example-com-tls
duration: 24h
renewBefore: 12h
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: barry-letsencrypt
kind: ClusterIssuer
#kind: Issuer
group: cert-manager.io
运行上述YAML文件后,我检查是否已创建了我的机密对象,但tls.cert
为0字节
# oc -n cert-manager-test describe secret example-com-tls
Name: example-com-tls
Namespace: cert-manager-test
Labels: <none>
Annotations: cert-manager.io/certificate-name: example-com
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: barry-letsencrypt
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1679 bytes
#oc-n证书管理器测试描述机密示例com tls
名称:示例com tls
命名空间:证书管理器测试
标签:
注释:cert-manager.io/certificate-name:example com
cert-manager.io/issuer-kind:clustersissuer
cert-manager.io/issuer-name:barry letsencrypt
类型:kubernetes.io/tls
资料
====
ca.crt:0字节
tls.crt:0字节
tls.key:1679字节
然后我检查证书状态,它显示:
# oc -n cert-manager-test describe certificate.cert-manager.io example-com
Name: example-com
Namespace: cert-manager-test
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2020-01-21T21:53:43Z
Generation: 1
Resource Version: 11111249
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/cert-manager-test/certificates/example-com
UID: 7e1d5876-3c98-11ea-84cc-52fdfc072182
Spec:
Common Name: example.com
Dns Names:
example.com
www.example.com
Duration: 24h0m0s
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: barry-letsencrypt
Renew Before: 12h0m0s
Secret Name: example-com-tls
Status:
Conditions:
Last Transition Time: 2020-01-21T21:53:43Z
Message: Waiting for CertificateRequest "example-com-3700695519" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 7m41s cert-manager Generated a new private key
Normal Requested 7m41s cert-manager Created new CertificateRequest resource "example-com-3700695519"
#oc-n证书管理器测试描述certificate.cert-manager.io示例com
名称:示例com
命名空间:证书管理器测试
标签:
注释:
API版本:cert-manager.io/v1alpha2
种类:证书
元数据:
创建时间戳:2020-01-21T21:53:43Z
世代:1
资源版本:11111249
自链接:/api/cert-manager.io/v1alpha2/namespace/cert-manager-test/certificates/example-com
UID:7e1d5876-3c98-11ea-84cc-52fdfc072182
规格:
通用名称:example.com
Dns名称:
example.com
www.example.com
持续时间:24小时零分
发行人参考号:
组:cert-manager.io
种类:聚类分析
姓名:barry letsencrypt
在12点00分之前续订
秘密名称:示例com tls
地位:
条件:
最后转换时间:2020-01-21T21:53:43Z
消息:等待CertificateRequest“example-com-370695519”完成
原因:进展中
状态:False
类型:就绪
活动:
从消息中键入原因年龄
---- ------ ---- ---- -------
正常生成的密钥7m41s证书管理器生成了一个新的私钥
正常请求的7m41s证书管理器创建了新的证书请求资源“example-com-370695519”
显然,证书请求被卡住了
这里怎么了?为什么证书请求最终处于等待状态?这是由代码就绪容器(不确定CRC是否有到外部访问的路由)引起的吗?等待回答:p 我的被发现了:)
>获取全部-n证书管理器
名称就绪状态重新启动
pod/cert-manager-6d5fd89bdf-ck46m 1/1运行0 3H22米
pod/cert-manager-cainjector-7d47d59998-vdvjc 1/1运行0 3H22米
pod/cert-manager-webhook-6559cc8549-llm8w 1/1运行0 3H22米
名称类型CLUSTER-IP外部IP端口年龄
服务/证书管理器群集IP 10.0.245.56 9402/TCP 3h23m
服务/证书管理器webhook ClusterIP 10.0.159.178 443/TCP 3h22m
姓名就绪最新可用年龄
deployment.apps/cert-manager 1/1 3h22m
deployment.apps/cert-manager-cainjector 1/1 3h22m
deployment.apps/cert-manager-webhook 1/1 3h22m
名称所需的当前就绪年龄
replicaset.apps/cert-manager-6d5fd89bdf 1 3h22m
replicaset.apps/cert-manager-cainjector-7d47d59998 1 3h22m
replicaset.apps/cert-manager-webhook-6559cc8549 1 3h22m
>kubectl日志-f cert-manager-6d5fd89bdf-ck46m-n cert-manager
I0201 21:48:27.272279 1控制器。转到:129]证书管理器/控制器/证书“msg”=“同步项目”“密钥”=“kube系统/tls机密”
I0201 21:48:27.272351 1 sync.go:57]证书管理器/控制器/证书“msg”=“找不到密钥的证书资源”“密钥”=“kube系统/tls机密”
I0201 21:48:27.272492 1 controller.go:135]cert manager/controller/certificates“msg”=“已完成处理工作项”“key”=“kube系统/tls机密”
等待回答:p
我的被发现了:)
>获取全部-n证书管理器
名称就绪状态重新启动
pod/cert-manager-6d5fd89bdf-ck46m 1/1运行0 3H22米
pod/cert-manager-cainjector-7d47d59998-vdvjc 1/1运行0 3H22米
pod/cert-manager-webhook-6559cc8549-llm8w 1/1运行0 3H22米
名称类型CLUSTER-IP外部IP端口年龄
服务/证书管理器群集IP 10.0.245.56 9402/TCP 3h23m
服务/证书管理器webhook ClusterIP 10.0.159.178 443/TCP 3h22m
姓名就绪最新可用年龄
deployment.apps/cert-manager 1/1 3h22m
deployment.apps/cert-manager-cainjector 1/1 3h22m
deployment.apps/cert-manager-webhook 1/1 3h22m
名称所需的当前就绪年龄
replicaset.apps/cert-manager-6d5fd89bdf 1 3h22m
replicaset.apps/cert-manager-cainjector-7d47d59998 1 3h22m
replicaset.apps/cert-manager-webhook-6559cc8549 1 3h22m
>kubectl日志-f cert-manager-6d5fd89bdf-ck46m-n cert-manager
I0201 21:48:27.272279 1控制器。转到:129]证书管理器/控制器/证书