证书管理器未颁发任何证书Google Cloud Kubernetes

时间:2020-02-23 13:55:30

标签: kubernetes https cert-manager

我正在努力让证书管理器从让我们加密的证书中颁发证书,以便将其与Google Cloud Kubernetes中的入口一起使用。

我有一个运行在默认名称空间中的部署,服务和入口的群集。我还在namecheap上注册了一个域,并从入口向IP地址添加了A记录。现在,我可以使用http访问该网站,一切都很好。现在,我想转到https,并且一切正常。

我已经安装了证书管理器:

kubectl create namespace cert-manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager.yaml

我已验证cert-manager正在运行:

kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5655447474-kw9k7              1/1     Running   0          99m
cert-manager-cainjector-59c9dfd4f7-fjzbf   1/1     Running   0          99m
cert-manager-webhook-865b8fb666-7kmx2      1/1     Running   0          99m

现在,我在默认名称空间中创建了ClusterIssuer kubectl apply -f letsencrypt-prod.yaml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: 'my@email.com'
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

并使用kubectl apply -f certificate.yaml添加了证书:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: my-certs
spec:
  secretName: my-certs
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: "www.mydomain.de"
  dnsNames:
  - "www.mydomain.de"
  acme:
    config:
    - dns01:
        provider: cloud-dns
      domains:
      - "www.mydomain.de"

这是我的入口:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-ip"
spec:
  rules:
  - host: www.mydomain.de
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 80
  tls:
  - hosts:
    - www.mydomain.de
    secretName: my-certs

现在,当我运行kubectl describe certificate my-certs时,没有任何事件:

kubectl describe certificate my-certs
Name:         my-certs
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"my-certs","namespace":"default"},"sp...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-02-23T13:30:15Z
  Generation:          1
  Resource Version:    787204
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/my-certs
  UID:                 a027a698-5640-11ea-bce8-42010a9c00dc
Spec:
  Acme:
    Config:
      Dns 01:
        Provider:  cloud-dns
      Domains:
        www.mydomain.de
  Common Name:  www.mydomain.de
  Dns Names:
    www.mydomain.de
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  my-certs
Events:         <none>

并且在Google Cloud Console中,我看到消息“无法找到TLS证书。继续设置负载均衡器以供HTTP使用”。

这是什么问题,或者我想念什么?

1 个答案:

答案 0 :(得分:0)

您可以在入口资源中添加以下注释,而不是手动创建证书资源:

cert-manager.io/issuer: "letsencrypt-prod"

证书管理员将读取注释,并使用它们创建证书。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-ip"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  rules:
  - host: www.mydomain.de
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 80
  tls:
  - hosts:
    - www.mydomain.de
    secretName: my-certs

检查之后,是否创建了名为my-certs的秘密和证书。

还要检查相关的issue

相关问题
最新问题