Kubernetes 上使用 ACME 的 SSL 证书

时间:2020-12-29 03:00:06

标签: ssl kubernetes

我一直在关注本教程:https://cert-manager.io/docs/,并且在我安装了我的证书管理器并确保它们与 kubectl get pods --namespace cert-manager 一起运行后,

cert-manager-5597cff495-l5hjs             1/1     Running   0          91m
cert-manager-cainjector-bd5f9c764-xrb2t   1/1     Running   0          91m
cert-manager-webhook-5f57f59fbc-q5rqs     1/1     Running   0          91m

然后我按照本教程 https://cert-manager.io/docs/configuration/acme/ 使用 ACME 颁发者配置了我的证书管理器。

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: aidenhsy@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

这是我的完整入口配置文件:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-srv
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
  rules:
    - host: www.hyhaus.xyz
      http:
        paths:
          - path: /api/?(.*)
            backend:
              serviceName: devback-srv
              servicePort: 4000
          - path: /?(.*)
            backend:
              serviceName: devfront-srv
              servicePort: 3000
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
    service.beta.kubernetes.io/do-loadbalancer-hostname: 'www.hyhaus.xyz'
  labels:
    helm.sh/chart: ingress-nginx-2.0.3
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.32.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: aidenhsy@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

但是,当我浏览我的网站时,浏览器警告:您的计算机操作系统不信任安全证书。当我查看我的证书时,它显示是自我分配的,这并不是我真正想要的。 certificate 我在这里做错了吗?

2 个答案:

答案 0 :(得分:1)

这是 nginx ingress controller 提供的证书占位符。当您看到它时,这意味着端点没有其他(专用)证书。

现在发生这种情况的第一个原因是您的 Ingress 没有必要的数据。用这个更新它:

metadata:
  annotations:
    # which issuer to use
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls: # placing a host in TLS config indicates that a certificate should be created
  - hosts:
    - example.org
    - www.example.org
    - xyz.example.org
    secretName: myingress-cert # cert-manager will store the created certificate in this secret

入口对象的文档是 here

如果以上方法没有帮助,请尝试 documentation 提供的故障排除步骤。根据我的经验,检查 CertificateRequestCertificate 资源在大多数情况下足以确定问题。

$ kubectl get certificate
$ kubectl describe certificate <certificate-name>
$ kubectl get certificaterequest
$ kubectl describe certificaterequest <CertificateRequest name>

请记住,这些对象是有命名空间的,这意味着它们将与 ingress 对象位于同一命名空间中。

答案 1 :(得分:0)

为了保护 Ingress,首先你必须将 ClusterIssuer 添加到你的 Ingress 资源中,然后 cert-manager 会选择它并为你创建证书资源。 Kind : ingress metadata: annotations : cert-manager.io/cluster-issuer: nameOfClusterIssuer .

其次您必须添加 tls <= 这表示证书管理器通过 ClusterIssuer 创建证书(密钥/证书对)。

第三,您必须添加 secretName: myingress <= 此处证书管理器将存储 tls 机密(在创建密钥/证书对并为您存储后)..

相关问题
最新问题