问题描述
我正在尝试按照以下指南在Kubernetes中部署入口路由:
- https://cert-manager.io/docs/tutorials/acme/ingress/
- https://docs.microsoft.com/en-us/azure/aks/ingress-static-ip
我已经部署了一个群集发布者:
CREATE PROC R_SP_COLLECTION @D1 DATETIME,@DIV VARCHAR(10) AS BEGIN SELECT CONVERT(DATETIME,PostDateTime,105) AS TDATE,DIVISION,NAME FROM SalesEntry WHERE PostDateTime = @d1 AND DIVISION = @div END@H_404_13@然后我已经部署了入口:
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer Metadata: name: letsencrypt spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: <Myemail> privateKeySecretRef: name: letsencrypt solvers: - http01: ingress: class: Nginx podTemplate: spec: nodeselector: "kubernetes.io/os": linux@H_404_13@然后,如果我尝试获得证书:
apiVersion: extensions/v1beta1 kind: Ingress Metadata: name: airflow-ingress namespace: airflow6 annotations: kubernetes.io/ingress.class: Nginx certmanager.k8s.io/cluster-issuer: letsencryp Nginx.ingress.kubernetes.io/rewrite-target: / spec: tls: - hosts: - <MYhost> secretName: tls-secret1 rules: - host: <MYhost> http: paths: - path: / backend: serviceName: airflow-web servicePort: 8080@H_404_13@我尝试部署自己的证书:
kubectl describe certificate tls-secret1 --namespace airflow6 Error from server (NotFound): certificates.cert-manager.io "tls-secret1" not found@H_404_13@然后运行相同的命令:
apiVersion: cert-manager.io/v1alpha2 kind: Certificate Metadata: name: tls-secret1 namespace: airflow6 spec: secretName: tls-secret1 dnsNames: - <MYhost> issuerRef: name: letsencrypt # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: ClusterIssuer group: cert-manager.io@H_404_13@我不知道是否需要创建这样的秘密:
kubectl describe certificate tls-secret1 --namespace airflow6 Name: tls-secret1 Namespace: airflow6 Labels: <none> Annotations: API Version: cert-manager.io/v1beta1 Kind: Certificate Metadata: Creation Timestamp: 2020-10-12T10:50:25Z Generation: 1 Resource Version: 9408916 Self Link: /apis/cert-manager.io/v1beta1/namespaces/airflow6/certificates/quickstart-example-tls UID: 5c4f06e2-bb61-4eed-8999-58540d4055ce Spec: Dns Names: <Myhost> Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: letsencrypt Secret Name: tls-secret1 Status: Conditions: Last Transition Time: 2020-10-12T10:50:25Z Message: Issuing certificate as Secret does not exist Reason: DoesNotExist Status: True Type: Issuing Last Transition Time: 2020-10-12T10:50:25Z Message: Issuing certificate as Secret does not exist Reason: DoesNotExist Status: False Type: Ready Next Private Key Secret Name: tls-secret1 Events: Type Reason Age From Message ---- ------ ---- ---- ------- normal Issuing 3m8s cert-manager Issuing certificate as Secret does not exist normal Requested 3m8s cert-manager Created new CertificateRequest resource "quickstart-example-tls-hl7vk" normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-vqmbh" normal Generated <invalid> (x3 over 3m8s) cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-fgvn6" normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-5gg9l"@H_404_13@但是我真的不知道我必须在
apiVersion: v1 kind: Secret name: example-tls namespace: foo data: tls.crt: <base64 encoded cert> tls.key: <base64 encoded key> type: kubernetes.io/tls和tls.crt中添加什么。在我阅读的所有指南中,我都看到,当自动部署入口路由时,会创建一个证书,但对我来说却不起作用,这是怎么回事?
解决方法
否,您不应该自己创建TLS机密,就像您将机密名称放在入口规则的tls部分中,然后在进行DNS验证时,由发行方自己为相应的机密创建机密在其中创建了入口规则的名称空间。
要交叉检查创建的配置或创建新的配置,可以参考this
然后您可以关注this stack overflow post,这可能会为您提供帮助