Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
SSLCertificateColdnotParseCert-同步到GCP时出错:_Ssl_Google Cloud Platform_Terraform_Kubernetes Helm - Fatal编程技术网
Fatal编程技术网
  • ssl/
  • SSLCertificateColdnotParseCert-同步到GCP时出错:

SSLCertificateColdnotParseCert-同步到GCP时出错:

ssl google-cloud-platform terraform

SSLCertificateColdnotParseCert-同步到GCP时出错:,ssl,google-cloud-platform,terraform,kubernetes-helm,Ssl,Google Cloud Platform,Terraform,Kubernetes Helm,我有一个terraform代码,它将部署前端应用程序,并具有ingress.yaml helm图表 ingress.yaml {{- if .Values.ingress.enabled -}} {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1beta1 {{- else -}} apiVersion: ext

我有一个terraform代码,它将部署前端应用程序,并具有ingress.yaml helm图表

ingress.yaml

{{- if .Values.ingress.enabled -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
  name: {{ .Values.global.namespace }}-ingress
  namespace: {{ .Values.global.namespace }}
  labels:
    {{- include "test-frontend.labels" . | nindent 4 }}
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.allow-http: "false"
spec:
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            backend:
              serviceName: {{ .servicename }}
              servicePort: {{ .serviceport }}
          {{- end }}
    {{- end }}
  {{- end }}

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
    kubernetes.io/ingress.allow-http: "false"
  hosts:
    - host: test-dev.test.com
      paths:
      - path: "/*"
        servicename: test-frontend-service
        serviceport: 80
      - path: "/api/*"
        servicename: test-backend-service
        serviceport: 80
  tls:
  - hosts:
    - test-dev.test.com
    secretName: ingress-tls-credential-file
    type: kubernetes.io/tls
    crt: <<test.pem value>>
    key: <<test.key value>>

{{- if .Values.ingress.tls }}
{{- $namespace := .Values.global.namespace }}
{{- range .Values.ingress.tls }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .secretName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "test-frontend.labels" $ | nindent 4 }}
type: {{ .type }}
data:
  tls.crt: {{ toJson .crt | b64enc | quote }}
  tls.key: {{ toJson .key | b64enc | quote }}
{{- end }}
{{- end }}
值。yaml

{{- if .Values.ingress.enabled -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
  name: {{ .Values.global.namespace }}-ingress
  namespace: {{ .Values.global.namespace }}
  labels:
    {{- include "test-frontend.labels" . | nindent 4 }}
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.allow-http: "false"
spec:
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            backend:
              serviceName: {{ .servicename }}
              servicePort: {{ .serviceport }}
          {{- end }}
    {{- end }}
  {{- end }}

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
    kubernetes.io/ingress.allow-http: "false"
  hosts:
    - host: test-dev.test.com
      paths:
      - path: "/*"
        servicename: test-frontend-service
        serviceport: 80
      - path: "/api/*"
        servicename: test-backend-service
        serviceport: 80
  tls:
  - hosts:
    - test-dev.test.com
    secretName: ingress-tls-credential-file
    type: kubernetes.io/tls
    crt: <<test.pem value>>
    key: <<test.key value>>

{{- if .Values.ingress.tls }}
{{- $namespace := .Values.global.namespace }}
{{- range .Values.ingress.tls }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .secretName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "test-frontend.labels" $ | nindent 4 }}
type: {{ .type }}
data:
  tls.crt: {{ toJson .crt | b64enc | quote }}
  tls.key: {{ toJson .key | b64enc | quote }}
{{- end }}
{{- end }}

values.yaml
将证书发送到helm->template->secret.yaml,后者将创建机密(入口tls凭证文件)

秘密。yaml

{{- if .Values.ingress.enabled -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
  name: {{ .Values.global.namespace }}-ingress
  namespace: {{ .Values.global.namespace }}
  labels:
    {{- include "test-frontend.labels" . | nindent 4 }}
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.allow-http: "false"
spec:
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            backend:
              serviceName: {{ .servicename }}
              servicePort: {{ .serviceport }}
          {{- end }}
    {{- end }}
  {{- end }}

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
    kubernetes.io/ingress.allow-http: "false"
  hosts:
    - host: test-dev.test.com
      paths:
      - path: "/*"
        servicename: test-frontend-service
        serviceport: 80
      - path: "/api/*"
        servicename: test-backend-service
        serviceport: 80
  tls:
  - hosts:
    - test-dev.test.com
    secretName: ingress-tls-credential-file
    type: kubernetes.io/tls
    crt: <<test.pem value>>
    key: <<test.key value>>

{{- if .Values.ingress.tls }}
{{- $namespace := .Values.global.namespace }}
{{- range .Values.ingress.tls }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .secretName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "test-frontend.labels" $ | nindent 4 }}
type: {{ .type }}
data:
  tls.crt: {{ toJson .crt | b64enc | quote }}
  tls.key: {{ toJson .key | b64enc | quote }}
{{- end }}
{{- end }}
我们在GCP->Kubernetes引擎->服务和入口中得到以下错误。如何将文件传递到values.yaml文件

同步到GCP时出错:运行负载平衡器同步例程时出错: 负载平衡器6370cwdc isp入口ixjheqwi不存在:证书 创建失败-k8s2-cr-6370cwdc-q0ndkz9m629eictm-ca5d0f56ba7fe415 错误:googleapi:错误400:无法分析SSL证书。, sslCertificateCouldNotParseCert

你似乎把秘密和直接的定义混为一谈。 您需要首先创建
入口tls凭证文件
secret,然后将其链接到入口定义中,如示例所示

然后清理你的入口

ingress:
      enabled: true
      annotations:
        kubernetes.io/ingress.class: "gce-internal"
        kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
        kubernetes.io/ingress.allow-http: "false"
      hosts:
        - host: test-dev.test.com
          paths:
          - path: "/*"
            servicename: test-frontend-service
            serviceport: 80
          - path: "/api/*"
            servicename: test-backend-service
            serviceport: 80
      tls:
      - hosts:
        - test-dev.test.com
        secretName: ingress-tls-credential-file
        type: kubernetes.io/tls
所以谷歌可以接受你的证书和密钥文件,你需要确保它们的格式符合下一步的要求

  • 您需要首先使用GCP将它们格式化,并使用现有文件创建一个文件
    • 然后,您需要完成更多步骤,以确保您拥有.yaml文件中所需的所有参数,并且您拥有适当的服务,能够接受来自该文件的信息(您可能已经完成了这些步骤):

  • 通过运行以下命令启用Kubernetes引擎API:
  • 创建GKE群集:
    • 集群是在后端子网\u名称中创建的
    • 集群使用的GKE版本为1.18.9-GKE.801或更高版本
    • 集群是使用云平台范围创建的
    • 集群是使用您希望用于运行-应用程序的所需服务帐户创建的
    • 集群使用的是n1-standard-4机器类型或更高版本
  • 通过执行以下步骤启用IAP:
    • 通过运行以下命令将ID和Secret转换为base64:
  • 创建内部静态IP地址,并为负载平衡器保留静态IP地址
  • 通过运行以下命令获取静态IP地址:
    • 7.通过复制gke_internal_ip_config_example.YAML并将其重命名为PROJECT_ID_gke_config.YAML来创建值YAML文件:

    clientIDEncoded
    :来自上一步的Base64编码客户端ID。
    clientsecretincoded
    :Base64编码的客户端\u来自前一步的秘密。
    certificate.name
    :您先前创建的证书名称。
    initialEmail
    :将设置自定义治理的初始用户的初始用户的电子邮件。
    staticIpName
    :先前创建的静态地址名称

    完成上述步骤后,请重试部署。

    我已更新代码。从values.yaml文件,SSL证书将被发送到secret.yaml模板文件,该文件将为SSL证书创建机密。 
    gcloud compute addresses create STATIC_ADDRESS_NAME \
    --region=REGION --subnet=BACKEND_SUBNET_NAME \
    --project=PROJECT_ID

    gcloud compute addresses describe STATIC_ADDRESS_NAME \
    --region=REGION \
    --project=PROJECT_ID