我想在我的 kubernetes 集群上创建一个颁发者。
我按照 https://cert-manager.io/docs/installation/kubernetes/ 的指南安装了 cert-manager 和 helm。
检查后似乎工作正常
% kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-7998c69865-754mr 1/1 Running 6 2d21h
cert-manager-webhook-7d6d4c78bc-97g2g 1/1 Running 3 2d21h
cert-manager-cainjector-7b744d56fb-bvwjd 1/1 Running 8 2d21h
但是当我使用指南中提到的发行人对其进行测试时,它失败了
test-resources.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
dnsNames:
- example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned\
Spec:
Dns Names:
example.com
Issuer Ref:
Name: test-selfsigned
Secret Name: selfsigned-cert-tls
Status:
Conditions:
Last Transition Time: 2021-04-22T12:03:25Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Not After: 2021-07-21T12:03:25Z
Not Before: 2021-04-22T12:03:25Z
Renewal Time: 2021-06-21T12:03:25Z
Revision: 1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 4s cert-manager Issuing certificate as Secret does not exist
Normal Generated 2s cert-manager Stored new private key in temporary Secret resource "selfsigned-cert-z8ssc"
Normal Requested 2s cert-manager Created new CertificateRequest resource "selfsigned-cert-f9kmc"
Normal Issuing 1s cert-manager The certificate has been successfully issued
似乎是什么问题?
一般我使用以下发行者
letsencrypt-staging.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
# Email address used for ACME registration
email: Email
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
letsencrypt-prod.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
# Email address used for ACME registration
email: email
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx