我正在尝试配置颁发者
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: zelafy-homeserver-letsencrypt
namespace: istio-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: xxxxxx@hotmail.com
privateKeySecretRef:
name: zelafy-homeserver-letsencrypt
solvers:
- selector:
dnsNames:
- "zelafy.xxxx.com"
http01:
ingress:
class: istio
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: zelafy-homeserver-cert #change
namespace: istio-system
spec:
secretName: zelafy-homeserver-tls-cert #change
issuerRef:
name: zelafy-homeserver-letsencrypt
kind: Issuer
commonName: "zelafy.xxx.com"
dnsNames:
- "zelafy.xxxx.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: zelafy
namespace: homeserver
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "zelafy.xxxx.com"
tls:
***httpsRedirect: true***
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: zelafy-homeserver-tls-cert # This should match the Certificate secretName
hosts:
- "zelafy.xxxx.com" # This should match a DNS name in the Certificate
当它尝试验证被重定向到 https 的证书时不起作用 但是当我删除“httpsRedirect:true”时 它工作正常 我正在使用掌舵图进行部署,是否有任何解决方法可以防止 letencrypt trfic 重新路由到 https?
####### 12/2/2021 新更新
我删除了“httpsRedirect:true” 我创建了 2 种网关方式,一种用于 Http,一种用于 https
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: kaka # name of the vservice
namespace: kaka
spec:
gateways:
- kaka-https
hosts: # incoming host
- "kaka.mydoamain.com" # domaiin name
http:
- route:
- destination:
host: kaka
subset: prod
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kaka-https
namespace: kaka
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: kaka-kaka-tls-cert
hosts:
- "kaka.mydomain.com"
为 Http 创建了一个虚拟服务,指向一个新的 ngix 部署,用于 https 重定向,对于 acme 流量,它没有被定向
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: kaka-redirect # name of the vservice
namespace: kaka
spec:
gateways:
- kaka-http
hosts: # incoming host
- "kaka.mydomain.com" # domaiin name
http:
- name: "acme"
match:
- uri:
prefix: /.well-known/acme-challenge
route:
- destination:
host: kaka
- name: "redir"
route:
- destination:
host: redirect
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
nginx.conf: |
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
---
apiVersion: v1
kind: Service
metadata:
name: redirect
labels:
app: redirect
spec:
ports:
- port: 80
name: http
selector:
app: redirect
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redirect
spec:
replicas: 1
selector:
matchLabels:
app: redirect
template:
metadata:
labels:
app: redirect
spec:
containers:
- name: redirect
image: nginx:stable
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: config
volumes:
- name: config
configMap:
name: nginx-config
现在除了 amce 流量外,它都重定向到 https