问题描述
我有两个入口控制器,一个在 Nginx 命名空间中带有默认类 default,而第二个入口控制器有一个 Nginx class: Nginx-devices。
已使用 Helm 安装了 Cert-manager。
我设法从 Lets Encrypt 为第一个控制器获取了 TLS 证书,使用 ClusterIssuer 和用于路由 Ingress 的入口资源规则。
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
Metadata:
# name: letsencrypt-staging
name: letsencrypt-prod
spec:
acme:
email: xx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: Nginx
入口路由:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
name: serviceA-ingress-rules
namespace: default
annotations:
kubernetes.io/ingress.class: Nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- FirstService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: FirstService.cloudapp.azure.com
http:
paths:
- path: /serviceA
backend:
serviceName: serviceA
servicePort: 80
但是,为了为第二个入口控制器创建第二个 TLS 证书,不会创建 TLS 秘密
集群发行者
# k8s/cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
Metadata:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
namespace: ingress-Nginx-devices # namespace where the second ingress controller is installed
spec:
acme:
email: xxx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
solvers:
- http01:
ingress:
class: Nginx-devices # ingress class of the second ingress controller
入口路由
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
name: devices-ingress-rules
namespace: default # since all the services are in default namespace
annotations:
kubernetes.io/ingress.class: Nginx-devices # ingress class of the second ingress controller
cert-manager.io/cluster-issuer: "letsencrypt-prod-devices"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- secondService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: secondService.cloudapp.azure.com
http:
paths:
- path: /serviceB
backend:
serviceName: serviceB
servicePort: 80
通过查看秘密我只能看到:kubectl get secrets -n ingress-Nginx-devices
NAME TYPE DATA AGE
default-token-xzp95 kubernetes.io/service-account-token 3 92m
nginx-ingress-devices-backend-token-pd4vf kubernetes.io/service-account-token 3 64m
nginx-ingress-devices-token-qvvps kubernetes.io/service-account-token 3 64m
sh.helm.release.v1.nginx-ingress-devices.v1 helm.sh/release.v1 1 64m
在默认命名空间中:
tls-secret kubernetes.io/tls 2 134m
为什么没有生成第二个 tls-secret?这里会出现什么问题?
感谢任何帮助:)
解决方法
您的第二个集群颁发者命名空间是:ingress-nginx-devices 理想情况下它应该位于 default 命名空间中,因为您的入口位于 default > 命名空间。
将这三个保持在同一个命名空间中:
- 入口
- 集群发行者
- 服务
如果一切正常,您将在默认命名空间
中看到秘密也在你的 clusterissuer 的 YAML 中
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
您的机密名称是:letsencrypt-prod-devices
但在入口是:tls-secret
保持不变,否则将无法工作
在此分享 clusterissuer 和 ingress 保持在同一命名空间中的完整示例。您可以根据需要更改机密名称、集群发布者名称。 Clusterissuer 会自动创建 secret,只在 ingress 中给出 secret 和 clusterissuer 的证明者名称(匹配)。
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name