我正在尝试使用cert-manager,istio ingress和LetsEncrypt在kubernetes中配置SSL证书。我已经安装了带头盔,证书管理器的istio,创建了ClusterIssuer,然后尝试创建证书。 acme挑战无法验证,我正在尝试使用http01进行尝试,并且无法弄清楚如何为此使用istio ingress。使用以下选项部署Istio:
helm install --name istio install/kubernetes/helm/istio `
--namespace istio-system `
--set global.controlPlaneSecurityEnabled=true `
--set grafana.enabled=true`
--set tracing.enabled=true
--set kiali.enabled=true `
--set ingress.enabled=true
证书配置:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example.com
namespace: istio-system
spec:
secretName: example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: 'example.com'
dnsNames:
- example.com
acme:
config:
- http01:
ingress: istio-ingress
domains:
- example.com
以这种方式尝试时,由于某种原因,找不到istio-ingress,但是当尝试指定ingressClass:some-name而不是ingress:istio-ingress时,我得到404,因为example.com/.well -已知/ acme挑战/令牌无法到达。 如何解决呢?谢谢!
答案 0 :(得分:2)
Istio入口已被弃用,您可以将入口网关用于DNS质询。
定义通用的公共入口网关:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: public-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
使用cert-manager支持的DNS提供者之一创建发行者。这是GCP CloudDNS的配置:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: istio-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: email@example.com
privateKeySecretRef:
name: letsencrypt-prod
dns01:
providers:
- name: cloud-dns
clouddns:
serviceAccountSecretRef:
name: cert-manager-credentials
key: gcp-dns-admin.json
project: my-gcp-project
使用以下命令创建通配符证书:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: istio-gateway
namespace: istio-system
spec:
secretname: istio-ingressgateway-certs
issuerRef:
name: letsencrypt-prod
commonName: "*.example.com"
acme:
config:
- dns01:
provider: cloud-dns
domains:
- "*.example.com"
- "example.com"
证书管理员需要花费几分钟的时间来颁发证书:
kubectl -n istio-system describe certificate istio-gateway
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CertIssued 1m52s cert-manager Certificate issued successfully
您可以在https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup
上找到有关使用“让我们加密”在GKE上设置Istio入口的分步指南。答案 1 :(得分:1)
解决方案是将DNS迁移到Azure并使用dns验证来生成证书。我还使用了istio-1.1.0-rc.3,并通过以下方式配置了网关:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- hosts:
- 'mydomain.com'
port:
name: http-bookinfo
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- 'mydomain.com'
port:
name: https-bookinfo
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: "use sds" #random string, because serverCertificate and
#privateKey are required for tls.mode=SIMPLE
privateKey: "use sds"
credentialName: "istio-bookinfo-certs-staging" #this must match the secret name
#from the certificate
helm template install/kubernetes/helm/istio/ --name istio `
--namespace istio-system -x charts/gateways/templates/deployment.yaml `
--set gateways.istio-egressgateway.enabled=false `
--set gateways.istio-ingressgateway.sds.enabled=true > `
$HOME/istio-ingressgateway.yaml
kubectl apply -f $HOME/istio-ingressgateway.yaml