我使用helm在gke k8s上部署drone.io。如果我关闭了LetsEncrypt,它的效果很好。但我真的希望https支持。
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: {{ template "drone_ci.fullname" . }}-external
labels:
name: server
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: LoadBalancer
loadBalancerIP: {{ .Values.droneLoadBalancerIp}}
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8000
- name: https
protocol: TCP
port: 443
targetPort: 443
selector:
name: server
我为端口9000提供了另一项服务,因为只有无人机代理才需要这项服务。
我的无人机服务器部署模板如下所示:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "drone_ci_server.fullname" . }}
labels:
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: 1
template:
metadata:
labels:
name: server
app: {{ template "drone_ci.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: server
image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: "DRONE_HOST"
value: {{ .Values.droneHost }}
- name: "DRONE_OPEN"
value: "true"
- name: "DRONE_GITLAB"
value: "true"
- name: DRONE_GITLAB_URL
value: {{ .Values.droneGitlabUrl }}
- name: DRONE_ADMIN
value: {{ .Values.droneAdmin }}
- name: DRONE_GITLAB_CLIENT
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_CLIENT
- name: DRONE_GITLAB_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_SECRET
- name: DRONE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_SECRET
- name: DRONE_LETS_ENCRYPT
value: "true"
volumeMounts:
- mountPath: /var/lib/drone
name: drone-lib-pv-storage
volumes:
- name: drone-lib-pv-storage
persistentVolumeClaim:
claimName: {{ template "drone_ci.fullname" . }}
当letsEncrypt为false时,我的网站工作,它连接到我的gitlab实例就好了正确的网址。当letsEncrypt为true时,则为:
使用chrome导航到我的无人机给了我"这个网站无法提供安全连接"。 ssllab't test告诉我:
No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.
查看我的pod日志,每当我尝试通过chrome访问无人机时,我得到:
http: TLS handshake error from x.x.x.x:53938: acme/autocert: no supported challenge type found
http: TLS handshake error from y.y.y.y:53936: acme/autocert: missing certificate
我的无人机服务器映像是:
image:
repository: drone/drone
tag: 0.8
pullPolicy: Always
我错过了什么或做错了什么?
答案 0 :(得分:1)
我建议您从LoadBalancer类型服务切换到常规服务,而不是通过Ingress公开它。将Ingress与kube-lego结合起来,您可以轻松地通过简单的方式来展示您想要的任何内容,即使后面的软件没有内置的LE支持,也可以加密所使用域的集成。这实际上是我自己的drone.io实例的设置方式。
虽然这可能不是解决您的问题的根本原因,这可能需要更多的调试信息,但它是一个完全可行且经过验证的解决方案:)
至于它自身的错误,从this code来看似乎无人机支持tls-sni-01/02之外的其他挑战。在其他可能是集群级别的问题中,还有this issue TLS-SNI现在被LE禁用