从掌舵图中安装Rancher 2.x

时间:2019-09-14 13:23:00

标签: ssl kubernetes lets-encrypt rancher

我正在尝试使用头盔图安装Rancher2.x。 我想将其指向某个特定领域。

在我的集群中,请记住以下事实或假设:

我使用的Kubernetes集群是在Azure云平台中创建的。

我已经在Kubernetes集群中安装了cert-manager 0.10vkong ingress-controller

实际上,在我的部署中,我使用kong入口控制器和cert-manager与LetsEncrypt进行交互,并为通过Ingress资源公开的服务获取SSL / TLS加密。 我已经通过一些服务做到了这一点。

所以,就像我的想法是利用已有的kong和cert-manager部署一样,我正在通过helm chart安装带有以下标志参数的rancher:

--set hostname=rancher.mydomain.org

我想为我的牧场主部署分配一个特定的域。据此,我以前在azure平台上创建了一个公共静态IP地址,该地址将被分配为转发我的牧场主实例的外部IP,因此我在DNS提供程序中创建了一个A记录来获取此地址。

--set ingress.tls.source=letsEncrypt

我正在为Rancher服务选择SSL配置,告诉我要从LetsEncrypt获取证书,以便提前进行之前提到的kong和cert-manager部署。

--set ingress.extraAnnotations.'certmanager\.k8s\.io/cluster-issuer'=letsencrypt-prod

正如我前面提到的,我已经使用了cert-manager,所以我已经创建了一个名为letsencrypt-prod的集群发行者,因此我加入了此选项标志参数,以便使用已经拥有的同一集群。

因此,当我安装牧场主掌舵表时:

helm install rancher-stable/rancher \
        --name rancher \
        --namespace cattle-system \
        --set hostname=rancher.domain.org \
        --set ingress.tls.source=letsEncrypt \
        --set ingress.extraAnnotations.'certmanager\.k8s\.io/cluster-issuer'=letsencrypt-prod \
        --set letsEncrypt.email=username@domain.org

我可以看到此部署会自动创建两个入口:

NAME                                           HOSTS                   ADDRESS   PORTS     AGE
ingress.extensions/cm-acme-http-solver-5rv5v   rancher.domain.org                 80        74s
ingress.extensions/rancher                     rancher.domain.org             80, 443   3m28s

据我所知ingress.extensions/cm-acme-http-solver-5rv5v是一个临时的入口资源,创建后等待cert-manager和kong操作与letencrypt联系,当它发生时,它应该消失,但是永远不会发生。这种入侵永远不会消失。

我意识到有些事情可能是在幕后,根据其掌舵图创建的牧场主入侵程序被开发为默认使用Nginx,如我在此处所示。

请参见anotations属性

kubectl describe ingress.extensions/cm-acme-http-solver-5rv5v -n cattle-system
Name:             cm-acme-http-solver-5rv5v
Namespace:        cattle-system
Address:          
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host                   Path  Backends
  ----                   ----  --------
  rancher.mydomain.org  
                         /.well-known/acme-challenge/q4B4ZFErLEu3wA8i5vICyJY61Wh806pB9vtazjv5jUk   cm-acme-http-solver-j2n8p:8089 (10.244.1.70:8089)
Annotations:
  kubernetes.io/ingress.class:                         kong
  nginx.ingress.kubernetes.io/whitelist-source-range:  0.0.0.0/0,::/0
Events:                                                <none>

您可以看到此kubernetes.io/ingress.class: kong表示ingress.extensions/cm-acme-http-solver-5rv5v将尝试与控管人kong

关于牧场主入口资源,这实际上是管理牧场主的真正入口过程,尽管它指向我的letsencrypt-prod ClusterIssuer,也正在使用一些nginx注释,并且还指向另一个牧场主发行者。

>

这意味着该牧场主入口资源同时指向两个不同的发行者和clusterissuer。

⟩ kubectl describe ingress rancher -n cattle-system  
Name:             rancher
Namespace:        cattle-system
Address:          
Default backend:  default-http-backend:80 (<none>)
TLS:
  tls-rancher-ingress terminates rancher.possibilit.nl
Rules:
  Host                   Path  Backends
  ----                   ----  --------
  rancher.mydomain.org  
                            rancher:80 (10.244.0.32:80,10.244.1.69:80,10.244.2.80:80)
Annotations:
  certmanager.k8s.io/issuer:                          rancher
  nginx.ingress.kubernetes.io/proxy-connect-timeout:  30
  nginx.ingress.kubernetes.io/proxy-read-timeout:     1800
  nginx.ingress.kubernetes.io/proxy-send-timeout:     1800
  certmanager.k8s.io/cluster-issuer:                  letsencrypt-prod
Events:
  Type    Reason             Age   From          Message
  ----    ------             ----  ----          -------
  Normal  CreateCertificate  54m   cert-manager  Successfully created Certificate "tls-rancher-ingress"
[I]

如果我选择在helm installation rancher命令中包括上述选项,我的意思是:

--set ingress.tls.source=letsEncrypt \
--set ingress.extraAnnotations.'certmanager\.k8s\.io/cluster-issuer'=letsencrypt-prod \

Rancher掌舵图安装过程是否会创建特定的Issuer和特定的入口,并且还可以与Nginx一起使用,而不与kong一起使用? 我想是的

尽管rancher.mydomain.org的路由来自上述入口过程,但这些路由仍在我的kong数据库中创建:

enter image description here

仅仅是证书管理者,kong和letencrypt之间的握手是不可能的,而它的证明是acme挑战尚未完成。

但是我也想,我没有在任何步骤或步骤中指定头盔安装牧场主过程应指向我在Azure平台开始时创建的某些外部IP地址

我期望舵图有一个特定的设置参数来应用负载均衡器IP……类似:

helm install rancher-latest/rancher \
--name rancher \
--namespace cattle-system \
--set hostname=[rancher.mydomain.org](http://rancher.mydomain.org/) \
--set ingress.tls.source=letsEncrypt

# some purpose  
--set proxy.type=LoadBalancer
--set proxy.loadBalancerIP=<myIpAddress>

之所以这样说,是因为kong实际上允许从舵图安装完成。

我认为这是有道理的,因为kong入口控制器未找到要引用和执行acme挑战的特定端点,这就是为什么在证书管理器窗格中我们没有任何事件的原因……

Every 2,0s: kubectl logs pod/cert-manager-79d7495f47-pjlrg -n cert-manager                el-pug: Fri Sep 13 14:21:42 2019

I0909 13:32:36.925765       1 start.go:76] cert-manager "level"=0 "msg"="starting controller"  "git-commit"="f1d591a53" "v
ersion"="v0.10.0"
I0909 13:32:36.927603       1 controller.go:184] cert-manager/controller/build-context "level"=0 "msg"="configured acme dn
s01 nameservers" "nameservers"=["10.0.0.10:53"]
I0909 13:32:36.928677       1 controller.go:149] cert-manager/controller "level"=0 "msg"="starting leader election"
I0909 13:32:36.930078       1 leaderelection.go:235] attempting to acquire leader lease  cert-manager/cert-manager-control
ler...
I0909 13:32:36.931031       1 metrics.go:201] cert-manager/metrics "level"=0 "msg"="listening for connections on" "address
"="0.0.0.0:9402"
I0909 13:33:49.207086       1 leaderelection.go:245] successfully acquired lease cert-manager/cert-manager-controller
I0909 13:33:49.207919       1 controller.go:101] cert-manager/controller "level"=0 "msg"="not starting controller as it's
disabled" "controller"="certificaterequests-issuer-acme"
I0909 13:33:49.207934       1 controller.go:101] cert-manager/controller "level"=0 "msg"="not starting controller as it's
disabled" "controller"="certificaterequests-issuer-selfsigned"
I0909 13:33:49.207943       1 controller.go:101] cert-manager/controller "level"=0 "msg"="not starting controller as it's
disabled" "controller"="certificaterequests-issuer-vault"
I0909 13:33:49.207955       1 controller.go:101] cert-manager/controller "level"=0 "msg"="not starting controller as it's
disabled" "controller"="certificaterequests-issuer-venafi"
I0909 13:33:49.209061       1 controller.go:120] cert-manager/controller "level"=0 "msg"="starting controller" "controller
"="orders"
I0909 13:33:49.209074       1 controller.go:74] cert-manager/controller/orders "level"=0 "msg"="starting control loop"
I0909 13:33:49.209314       1 controller.go:120] cert-manager/controller "level"=0 "msg"="starting controller" "controller
"="certificates"
I0909 13:33:49.209333       1 controller.go:74] cert-manager/controller/certificates "level"=0 "msg"="starting control loo
p"
I0909 13:33:49.209364       1 controller.go:120] cert-manager/controller "level"=0 "msg"="starting controller" "controller
"="clusterissuers"
I0909 13:33:49.209419       1 controller.go:74] cert-manager/controller/clusterissuers "level"=0 "msg"="starting control l
oop"

在上述情况下,牧场主部署过程正在创建一个特定的入口,但是我想对该入口进行更多控制以便指向它,指向kong-ingress-controller并应用一些基本身份验证插件和其他香港商品。

我的意思是我想让牧场主有这样的东西:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod # letsencrypt-staging
    kubernetes.io/ingress.class: "kong"
    # plugins.konghq.com: rancher-production-basic-auth, rancher-production-acl
  name: production-rancher-ingress
  namespace: cattle-system
spec:
  rules:
  - host: rancher.mydomain.org
    http:
      paths:
      - backend:
          serviceName: rancher
          servicePort: 80
        path: /
  tls: # < placing a host in the TLS config will indicate a cert should be created
  - hosts:
    - rancher.mydomain.org
    secretName: #  letsencrypt-prod or secret/tls-rancher or whatever created with cert-manager

我的不便之处与ingress.extraAnnotations图表选项here有关吗?​​

如果是,我该如何管理这些自定义入口注释,以使我的牧场主安装具有外部IP地址,并且仅指向kong而不是nginx?

0 个答案:

没有答案
相关问题
最新问题