Istio与Letencrypt SSL和证书管理器

时间:2019-09-18 15:37:36

标签: kubernetes kubernetes-ingress istio cert-manager

我正在使用bookinfohttps://istio.io/docs/examples/bookinfo/)提供的istio演示应用程序。在端口80上工作正常。我想通过https访问应用程序,为此我做了以下更改,但是自动生成的入口未创建端口443

---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
    name: letsencrypt-staging
spec:
    acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ronak@example.com
    privateKeySecretRef:
        name: letsencrypt-staging
    http01: {}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
    name: bookinfo-crt
    namespace: default
spec:
    secretName: bookinfo-crt
    issuerRef:
    name: letsencrypt-staging
    kind: Issuer
    commonName: bookinfo.example.com
    dnsNames:
    - bookinfo.example.com
    acme:
      config:
      - http01:
      ingressClass: istio
    domains:
      - bookinfo.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
  labels:
    app: ingressgateway
  namespace: default
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "bookinfo.example.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: "sds"
      privateKey: "sds"
      credentialName: "bookinfo-crt" # fetches certs from Kubernetes secret

证书管理器日志:

I0918 15:33:30.650813       1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dnsName"="bookinfo.example.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-kfnk2" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="bookinfo-crt-4286905572-0" "resource_namespace"="default" "type"="http-01"
E0918 15:33:30.661141       1 sync.go:183] cert-manager/controller/challenges "msg"="propagation check failed" "error"="wrong status code '404', expected '200'" "dnsName"="bookinfo.example.com" "resource_kind"="Challenge" "resource_name"="bookinfo-crt-4286905572-0" "resource_namespace"="default" "type"="http-01"
I0918 15:33:30.661278       1 base_controller.go:193] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="default/bookinfo-crt-4286905572-0"

自动生成的入口

kubectl get ing
NAME                        HOSTS                       ADDRESS   PORTS     AGE
cm-acme-http-solver-kfnk2   bookinfo.example.com             80        21m

如您所见,即使我在gateway中提到了443,也只有端口80。

0 个答案:

没有答案