问题描述
我鼓励在GKE上为WSO2 API管理设置TLS Cert-Manager控制器时遇到问题。
我正在使用Helm Chart来从WSO2 Private Docker Registry获得WSO2产品Docker映像,该映像用于在Github(README)上部署WSO2 API Manager和WSO2 API Manager Analytics。并且我成功地将NSO的Nginx Ingress Controller(deploy-a-nginx-ingress-and-a-certitificate-manager-controller-on-gke)部署到了WSO2 API管理器中。
我想使用Nginx Ingress Controller在Google Cloud Platform上创建Kubernetes集群,以与证书管理器集成以自动执行颁发过程并续订所需的证书。
我可以从同一媒体教程(deploy-a-nginx-ingress-and-a-certitificate-manager-controller-on-gke)轻松地在GKE for HelloWorld示例上复制TLS Cert-Manager控制器。
hello-app-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
Metadata:
annotations:
cert-manager.io/issuer: letsencrypt-production
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.k8s.io/v1beta1","kind":"Ingress","Metadata":{"annotations":{"cert-manager.io/issuer":"letsencrypt-production","kubernetes.io/ingress.class":"Nginx","Nginx.ingress.kubernetes.io/ssl-redirect":"true"},"name":"hello-app-ingress","namespace":"default"},"spec":{"rules":[{"host":"test.japangly.xyz","http":{"paths":[{"backend":{"serviceName":"hello-app","servicePort":8080},"path":"/helloworld"}]}}],"tls":[{"hosts":["test.japangly.xyz"],"secretName":"test-japangly-xyz-tls"}]}}
kubernetes.io/ingress.class: Nginx
Nginx.ingress.kubernetes.io/ssl-redirect: "true"
creationTimestamp: "2020-08-30T04:27:12Z"
generation: 3
name: hello-app-ingress
namespace: default
resourceVersion: "6478"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/hello-app-ingress
uid: ea2d8b13-e9b6-4cb0-873d-76ed40253e4f
spec:
rules:
- host: test.japangly.xyz
http:
paths:
- backend:
serviceName: hello-app
servicePort: 8080
path: /helloworld
tls:
- hosts:
- test.japangly.xyz
secretName: test-japangly-xyz-tls
status:
loadBalancer:
ingress:
- ip: 35.239.145.46
但是,我无法正常使用WSO2 API管理
Kubernetes入口控制器伪造证书
wso2am-pattern-1-am-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
Metadata:
annotations:
cert-manager.io/issuer: letsencrypt-production
kubernetes.io/ingress.class: Nginx
Meta.helm.sh/release-name: wso2am-pattern-1
Meta.helm.sh/release-namespace: wso2-apim
Nginx.ingress.kubernetes.io/affinity: cookie
Nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Nginx.ingress.kubernetes.io/session-cookie-hash: sha1
Nginx.ingress.kubernetes.io/session-cookie-name: route
Nginx.ingress.kubernetes.io/ssl-redirect: "true"
creationTimestamp: "2020-08-30T04:41:10Z"
generation: 4
labels:
app.kubernetes.io/managed-by: Helm
name: wso2am-pattern-1-am-ingress
namespace: wso2-apim
resourceVersion: "88840"
selfLink: /apis/extensions/v1beta1/namespaces/wso2-apim/ingresses/wso2am-pattern-1-am-ingress
uid: 58f4b549-a565-493b-9f9f-72ad76877819
spec:
rules:
- host: am.japangly.xyz
http:
paths:
- backend:
serviceName: wso2am-pattern-1-am-service
servicePort: 9443
path: /
tls:
- hosts:
- am.japangly.xyz
secretName: am-japangly-xyz-tls
status:
loadBalancer:
ingress:
- ip: 35.239.145.46
解决方法
正如我在评论中所说:
我像您一样运行安装程序,发现
cert-manager
正在创建秘密,但没有进一步提供它。Issuer
是命名空间资源,需要位于Ingress
所在的命名空间中。请告知您的命名空间wso2-apim
是否具有提供证书所需的Issuer
。要进行故障排除,您可以运行$ kubectl describe certificate -n namespace
。当tls: secret
部件出现问题时,还会使用伪造的Kubernetes证书。
我想更深入地了解潜在的问题以及与nginx-ingress
一起使用的其他技巧。
当存储Kubernetes Ingress Controller Fake Certificate
定义中使用的证书的实际机密出现问题时,将显示为Ingress
的证书。
Fake Certificate
介入的一种可能情况是缺少带有证书的实际机密。
正如我的评论部分所指出的,Issuer
是一个命名空间资源,它必须位于创建了Ingress
和secret
的命名空间中。它将创建一个secret
,但不会进一步进行签名。
根据您的设置:
-
在
-
nginx
控制器 -
cert-manager
在命名空间cert-manager
命名空间( GOOD ) 中产生
-
Issuer
(在default
名称空间中生成的证书(潜在问题)
在 -
wso2-apim
应用程序(潜在问题)
nginx-ingress
命名空间( GOOD )中产生了WSO2
名称空间中生成了要使其正常工作,您可以:
- 在
WSO2
与default
相同的命名空间中运行Issuer
应用程序 - 在
Issuer
命名空间中创建wso2-apim
- 创建一个ClusterIssuer
官方文件指出:
Issuer
是一个命名空间资源,无法从另一个命名空间中的Issuer
颁发证书。这意味着您需要在每个要在其中获得Issuer
的命名空间中创建一个Certificates
。
关于故障排除步骤,您可以调用以下命令:
-
$ kubectl describe issuer ISSUER_NAME -n namespace
-
$ kubectl describe certificate CERTIFICATE_NAME -n namespace
-
$ kubectl describe secret SECRET_NAME -n namespace
假设:
- 您的Kubernetes集群工作正常
- 您已生成
nginx-ingress
并正确配置了LoadBalancer IP
- 您有一个指向
LoadBalancer IP
控制器的nginx-ingress
的域名
之后您生成了:
-
example
名称空间 -
hello-app
,如中型指南所示:-
$ kubectl create deployment hello-app --image=gcr.io/google-samples/hello-app:1.0 -n example
-
- 在本地公开
-
$ kubectl expose deployment hello-app --type=NodePort --port=8080 -n example
-
- 创建了一个
Ingress
资源,如下所示:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: example
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- super.example.com
secretName: super-example-tls
rules:
- host: super.example.com
http:
paths:
- path: /
backend:
serviceName: hello-app
servicePort: 8080
在Issuer
名称空间中没有example
的情况下,来自证书的日志将如下所示:
-
$ kubectl describe certificate super-example-tls -n example
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 6m33s cert-manager Issuing certificate as Secret does not exist
Normal Generated 6m33s cert-manager Stored new private key in temporary Secret resource "super-example-tls-XXXXX"
Normal Requested 6m33s cert-manager Created new CertificateRequest resource "super-example-tls-XXXXX"
Issuer.yaml
用于示例以供更多参考:
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: example
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: PUT_EMAIL_ADDRESS_HERE
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
创建Issuer
后,您应该在certificate
中看到一个新事件:
Normal Issuing 25s cert-manager The certificate has been successfully issued