Я пытаюсь развернуть ingress-маршруты в Kubernetes, следуя этим руководствам:
- https://cert-manager.io/docs/tutorials/acme/ingress/ < / а>
- https://docs.microsoft.com/en-us/azure/aks/ingress-static-ip
Я развернул кластер-эмитент:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <Myemail>
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
Затем я развернул ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: airflow-ingress
namespace: airflow6
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencryp
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- <MYhost>
secretName: tls-secret1
rules:
- host: <MYhost>
http:
paths:
- path: /
backend:
serviceName: airflow-web
servicePort: 8080
Тогда, если я попытаюсь получить сертификат:
kubectl describe certificate tls-secret1 --namespace airflow6
Error from server (NotFound): certificates.cert-manager.io "tls-secret1" not found
Я попытался развернуть собственный сертификат:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: tls-secret1
namespace: airflow6
spec:
secretName: tls-secret1
dnsNames:
- <MYhost>
issuerRef:
name: letsencrypt
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
Затем выполните ту же команду:
kubectl describe certificate tls-secret1 --namespace airflow6
Name: tls-secret1
Namespace: airflow6
Labels: <none>
Annotations: API Version: cert-manager.io/v1beta1
Kind: Certificate
Metadata:
Creation Timestamp: 2020-10-12T10:50:25Z
Generation: 1
Resource Version: 9408916
Self Link: /apis/cert-manager.io/v1beta1/namespaces/airflow6/certificates/quickstart-example-tls
UID: 5c4f06e2-bb61-4eed-8999-58540d4055ce
Spec:
Dns Names:
<Myhost>
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt
Secret Name: tls-secret1
Status:
Conditions:
Last Transition Time: 2020-10-12T10:50:25Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Last Transition Time: 2020-10-12T10:50:25Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: False
Type: Ready
Next Private Key Secret Name: tls-secret1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m8s cert-manager Issuing certificate as Secret does not exist
Normal Requested 3m8s cert-manager Created new CertificateRequest resource "quickstart-example-tls-hl7vk"
Normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-vqmbh"
Normal Generated <invalid> (x3 over 3m8s) cert-manager Stored new private key in temporary Secret resource "quickstart-example-tls-fgvn6"
Normal Requested <invalid> cert-manager Created new CertificateRequest resource "quickstart-example-tls-5gg9l"
Я не знаю, нужно ли мне создавать такой секрет:
apiVersion: v1
kind: Secret
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
Но я действительно не знаю, что мне нужно вставить в tls.crt
и tls.key
.
Во всех руководствах, которые я прочитал, я видел, что когда входящие маршруты развертываются автоматически, создается сертификат, но для меня он не работает, что я делаю не так?