我想对Azure上的Kubernetes(AKS)使用HTTPS。 为此,我使用了nginx-ingress(https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md#azure)。 我在本教程中创建的所有资源都使用名称空间ingress-nginx。这就是为什么我继续使用此命名空间而不是默认名称的原因。 我的Ingress运作正常。现在,我想使用HTTPS而不是HTTP。
为此,我创建了一个CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out example.csr -subj "/CN=domain.com"
我将CSR发送给签名提供商(QuoVadis),后者将以下文件发送给我:
我有点困惑,因为在所有教程中我都只提到了一个crt。该链看起来像是所有其他三个文件的组合。这就是为什么我继续使用链条的原因:
sudo kubectl create secret tls ssl-secret-test --cert domain_com(chain).crt --key private.key -n ingress-nginx
我将秘密添加到了入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-ingress
namespace: ingress-nginx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- domain.com
secretName: ssl-secret-test
rules:
- host: domain.com
- http:
paths:
- path: /app1(/|$)(.*)
backend:
serviceName: app1-service
servicePort: 80
- path: /app2(/|$)(.*)
backend:
serviceName: app2-service
servicePort: 80
域不再提供我的部署app1和app2。如果我使用IP,它仍然可以正常工作:
domain.com/app1:
404找不到-openresty / 1.15.8.1
52.xxx.xxx.xx / app1:
Hello World
在两种情况下,我仍然会收到有关不安全连接的警告。 这里是我的服务概述:
$ sudo kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 57d
ingress-nginx app1-service NodePort 10.0.229.109 <none> 80:31343/TCP 22h
ingress-nginx app2-service NodePort 10.0.175.201 <none> 80:31166/TCP 22h
ingress-nginx ingress-nginx LoadBalancer 10.0.40.172 52.xxx.xxx.xx 80:32564/TCP,443:32124/TCP 22h
kube-system healthmodel-replicaset-service ClusterIP 10.0.233.181 <none> 25227/TCP 5d10h
kube-system heapster ClusterIP 10.0.214.146 <none> 80/TCP 57d
kube-system kube-dns ClusterIP 10.0.0.10 <none> 53/UDP,53/TCP 57d
kube-system kubernetes-dashboard ClusterIP 10.0.160.230 <none> 80/TCP 57d
kube-system metrics-server ClusterIP 10.0.170.103 <none> 443/TCP 57d
$ sudo kubectl get ingress --all-namespaces
NAMESPACE NAME HOSTS ADDRESS PORTS AGE
ingress-nginx nginx-ingress domain.com 52.xxx.xxx.xx 80, 443 37m
$ sudo kubectl get deployments --all-namespaces
NAMESPACE NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
ingress-nginx app1 2 2 2 2 22h
ingress-nginx app2 2 2 2 2 22h
ingress-nginx nginx-ingress-controller 1 1 1 1 57d
kube-system coredns 2 2 2 2 58d
kube-system coredns-autoscaler 1 1 1 1 58d
kube-system heapster 1 1 1 1 5d10h
kube-system kubernetes-dashboard 1 1 1 1 58d
kube-system metrics-server 1 1 1 1 58d
kube-system omsagent-rs 1 1 1 1 58d
kube-system tunnelfront 1 1 1 1 58d
我做错了什么?
我遵循了以下教程:
https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html
并通过示例test-resources.yaml确认了所有内容。
现在,我按照设置CA ISSUER的步骤进行操作。
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: domain-com
namespace: default
spec:
secretName: domain-com-tls
issuerRef:
name: ca-issuer
kind: ClusterIssuer
commonName: domain.com
organization:
- QuoVadis
dnsNames:
- domain.com
- www.domain.com
-----
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: default
spec:
ca:
secretName: ssl-secret-test
但是它似乎不起作用:
$ kubectl describe certificate domain-com
...
Status:
Conditions:
Last Transition Time: 2019-09-12T07:48:19Z
Message: Certificate does not exist
Reason: NotFound
Status: False
Type: Ready
Not After: 2021-09-11T07:46:00Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotReady 8s (x9 over 4h51m) cert-manager Issuer ca-issuer not ready
在故障排除页面上,我发现了另一个不确定性:
$ kubectl --namespace cert-manager get secret cert-manager-webhook-webhook-tls
Error from server (NotFound): secrets "cert-manager-webhook-webhook-tls" not found
答案 0 :(得分:1)
我在评论中回答了,但只会在此处添加答案:
证书管理器是使用nginx入口处理TLS的最简单方法,在您定义入口后在https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html处进行设置后,它看起来类似于:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-ingress
namespace: ingress-nginx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: "nginx" <-- This is very important to define which ingress controller to use
certmanager.k8s.io/cluster-issuer: letsencrypt-staging <-- defines the cert manager issuer
spec:
tls:
- hosts:
- domain.com
secretName: ssl-secret-test
rules:
- host: domain.com
- http:
paths:
- path: /app1(/|$)(.*)
backend:
serviceName: app1-service
servicePort: 80
- path: /app2(/|$)(.*)
backend:
serviceName: app2-service
servicePort: 80
然后,证书管理员将为您的服务设置TLS