我想访问我的Kubernetes裸机群集,其中有一个暴露的Nginx Ingress Controller用于TLS终止。为了能够自动更新证书,我想使用Kubernetes插件cert-manager,这是kube-lego的继任者。
到目前为止我做了什么:
在裸金属(1个主人,1个小人,都运行Ubuntu 16.04.4 LTS)上设置Kubernetes(v1.9.3)群集,并在此guide之后使用kubeadm和法兰绒作为pod网络。
与Kubernetes包管理器nginx-ingress安装helm(图表版本0.9.5)
helm install --name nginx-ingress --namespace kube-system stable/nginx-ingress --set controller.hostNetwork=true,rbac.create=true,controller.service.type=ClusterIP
安装cert-manager(图表版本0.2.2),带头盔
helm install --name cert-manager --namespace kube-system stable/cert-manager --set rbac.create=true
当我使用Ingress资源进行测试时,Ingress Controller已成功公开并按预期工作。为了正确使用证书管理加密证书管理和自动续订,我首先需要一个颁发者资源。我是从 acme-staging-issuer.yaml 创建的:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging.api.letsencrypt.org/directory
email: email@example.com
privateKeySecretRef:
name: letsencrypt-staging
http01: {}
kubectl create -f acme-staging-issuer.yaml 成功运行但 kubectl描述issuer / letsencrypt-staging 给了我:
Status:
Acme:
Uri:
Conditions:
Last Transition Time: 2018-03-05T21:29:41Z
Message: Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
Reason: ErrRegisterACMEAccount
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrVerifyACMEAccount 1s (x11 over 7s) cert-manager-controller Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
Warning ErrInitIssuer 1s (x11 over 7s) cert-manager-controller Error initializing issuer: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
如果没有现成的发行人,我无法继续生成证书管理员证书或使用入口垫片(用于自动续订)。
我的设置中缺少什么?是否足以使用 hostNetwork = true 公开入口控制器,或者是否有更好的方法在裸机群集上公开其端口80和443?如何在创建证书管理器颁发者资源时解决 tls:超大记录接收错误?
答案 0 :(得分:0)
tls:收到的超大记录错误是由Kubernetes小兵的错误配置/etc/resolv.conf
引起的。它可以通过编辑它来解决:
$ sudo vi /etc/resolvconf/resolv.conf.d/base
添加名称服务器列表:
nameserver 8.8.8.8
nameserver 8.8.4.4
更新resolvconf:
$ sudo resolvconf -u