带有辅助图表的Ingress Controller上的自定义证书问题
我正在使用ABP框架微服务模板。我已经使用Helm Chart将应用程序部署在Kubernetes上。
我在值中具有以下掌舵图表配置。YAML由ABP框架提供。
authserver:
config:
# configuration sections
ingress:
host: auth-server-v1.mydomain.com
tlsSecret: mysecret-app-tls
image:
repository: myrepository.azurecr.io/auth-server
tag: 1.0.0
# same configuration for other services and gateways
image:
repository: nginx
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
service:
type: ClusterIP
port: 80
ingress:
enabled: false # don't know why its disable
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local # don't know what domain should be here
paths:
- path: /
pathType: ImplementationSpecific
tls: []
#install应用程序命令
helm升级 - 安装名称st name-name-namespace默认值 - create-namespace
#ingress yaml配置。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: name-st-angular-ingress
namespace: default
uid: 385d12fa-7fe6-4ca7-9d16-b851ac4c7e2c
resourceVersion: '11744926'
generation: 1
creationTimestamp: '2022-05-21T08:10:39Z'
labels:
app.kubernetes.io/managed-by: Helm
annotations:
cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
meta.helm.sh/release-name: name-st
meta.helm.sh/release-namespace: default
nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
nginx.ingress.kubernetes.io/proxy-buffers-number: '8'
nginx.ingress.kubernetes.io/rewrite-target: /
managedFields:
- manager: helm
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-21T08:10:39Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:cert-manager.io/cluster-issuer: {}
f:kubernetes.io/ingress.class: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
f:nginx.ingress.kubernetes.io/proxy-buffer-size: {}
f:nginx.ingress.kubernetes.io/proxy-buffers-number: {}
f:nginx.ingress.kubernetes.io/rewrite-target: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:rules: {}
f:tls: {}
- manager: nginx-ingress-controller
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-21T08:11:10Z'
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
subresource: status
selfLink: >-
/apis/networking.k8s.io/v1/namespaces/default/ingresses/name-st-auth-ingress
status:
loadBalancer:
ingress:
- ip: #.#.#.#
spec:
tls:
- hosts:
- auth-server-v1.mydomain.com
secretName: mysecret-app-tls
rules:
- host: auth-server-v1.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: name-st-auth
port:
number: 80
#通过以下命令创建了秘密。
kubectl创建秘密tls mySecret-app-tls -key cert.key-cert cert.crt
所有服务和入口均成功创建了,但我遇到了证书问题,而不是在https上服务。无效的证书。
I am using the ABP framework microservice template. I have deployed the application on Kubernetes using the helm chart.
I have the following helm chart configuration in values.YAML is provided by the ABP framework.
authserver:
config:
# configuration sections
ingress:
host: auth-server-v1.mydomain.com
tlsSecret: mysecret-app-tls
image:
repository: myrepository.azurecr.io/auth-server
tag: 1.0.0
# same configuration for other services and gateways
image:
repository: nginx
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
service:
type: ClusterIP
port: 80
ingress:
enabled: false # don't know why its disable
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local # don't know what domain should be here
paths:
- path: /
pathType: ImplementationSpecific
tls: []
#install application command
helm upgrade --install name-st name --namespace default --create-namespace
#Ingress yaml configuration.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: name-st-angular-ingress
namespace: default
uid: 385d12fa-7fe6-4ca7-9d16-b851ac4c7e2c
resourceVersion: '11744926'
generation: 1
creationTimestamp: '2022-05-21T08:10:39Z'
labels:
app.kubernetes.io/managed-by: Helm
annotations:
cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
meta.helm.sh/release-name: name-st
meta.helm.sh/release-namespace: default
nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
nginx.ingress.kubernetes.io/proxy-buffers-number: '8'
nginx.ingress.kubernetes.io/rewrite-target: /
managedFields:
- manager: helm
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-21T08:10:39Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:cert-manager.io/cluster-issuer: {}
f:kubernetes.io/ingress.class: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
f:nginx.ingress.kubernetes.io/proxy-buffer-size: {}
f:nginx.ingress.kubernetes.io/proxy-buffers-number: {}
f:nginx.ingress.kubernetes.io/rewrite-target: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:rules: {}
f:tls: {}
- manager: nginx-ingress-controller
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-21T08:11:10Z'
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
subresource: status
selfLink: >-
/apis/networking.k8s.io/v1/namespaces/default/ingresses/name-st-auth-ingress
status:
loadBalancer:
ingress:
- ip: #.#.#.#
spec:
tls:
- hosts:
- auth-server-v1.mydomain.com
secretName: mysecret-app-tls
rules:
- host: auth-server-v1.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: name-st-auth
port:
number: 80
#Created the secret by following command.
kubectl create secret tls mysecret-app-tls --key cert.key --cert cert.crt
All the services and ingress were created successfully but I got the certificate issue and not serving on https. Invalid certificate.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您的证书是自签名的,它将提供无效的证书地址或没有适当的通用和域名。
看起来您的入口是从这里创建的,
您可以将 tlssecret 更改为一个存储适当的证书,而不是自签名的。
您还可以使用CERT-MANAGER,该经理将自动创建由Let's Encrypt签署的证书并将其保存到秘密。
cert-manager:
If your cert is self-signed it will give the invalid cert address or not have a proper Common and domain name.
Looks like your ingress is getting created from here
You can accordingly change the tlsSecret to once which stores a proper certificate, not a self-signed one.
You can also use the cert-manager which will auto-create the certificate signed by let's encrypt and save it to secret.
Cert-manager : https://cert-manager.io/docs/