当前位置: 文江博客话题详情

与Linkerd和Cert Manager的Flux有发行人错误

发布于 2025-02-11 04:19:27 字数 2877 浏览 1 评论 0原文

我正在使用Flux和Cert Mananger安装Linkerd Helm Verison,for TLS rotation

,在其中flux and linkerd config没有太多内容

Cert Manager拥有默认配置,因此使用此config:

repartion.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: linkerd
  namespace: linkerd
  
spec:
  interval: 5m
  values:
    identity.issuer.scheme: kubernetes.io/tls
    installNamespace: false
    
  valuesFrom:
  - kind: Secret
    name: linkerd-trust-anchor
    valuesKey: tls.crt
    targetPath: identityTrustAnchorsPEM
  chart:
    spec:
      chart: linkerd2
      version: "2.11.2"
      sourceRef:
        kind: HelmRepository
        name: linkerd
        namespace: linkerd
      interval: 1m

source.yaml

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: linkerd
  namespace: linkerd
spec:
  interval: 5m0s
  url: https://helm.linkerd.io/stable

linkerd-trust-trust-andor.yaml

apiVersion: v1
data:
  tls.crt: base64encoded
  tls.key: base64encoded
kind: Secret
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
type: kubernetes.io/tls

。 :

step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure

issuer.yaml

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth

现在现在是时候调和时,我会在helmrelease中遇到此错误,

Helm install failed: execution error at (linkerd2/templates/identity.yaml:19:21): Please provide the identity issuer certificate

但是手动做得很好

helm install linkerd2   \
--set-file identityTrustAnchorsPEM=ca.crt   \
--set identity.issuer.scheme=kubernetes.io/tls   \
--set installNamespace=false   linkerd/linkerd2   \
-n linkerd

,如果我有相同的设置,但没有手动声明的证书和证书(带有不同的秘密名称为Linkerd会自己创建它)这样:

valuesFrom:
  - kind: Secret
    name: linkerd-trust-anchor
    valuesKey: tls.crt
    targetPath: identityTrustAnchorsPEM
  - kind: Secret
    name: linkerd-identity-issuer-2
    valuesKey: tls.crt
    targetPath: identity.issuer.tls.crtPEM
  - kind: Secret
    name: linkerd-identity-issuer-2
    valuesKey: tls.key
    targetPath: identity.issuer.tls.keyPEM

我错过了什么吗?

原文

I am installing linkerd helm verison with flux and cert mananger for tls rotation

cert manager holds default config so there isnt much to talk there

flux and linkerd with this config:

release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: linkerd
  namespace: linkerd
  
spec:
  interval: 5m
  values:
    identity.issuer.scheme: kubernetes.io/tls
    installNamespace: false
    
  valuesFrom:
  - kind: Secret
    name: linkerd-trust-anchor
    valuesKey: tls.crt
    targetPath: identityTrustAnchorsPEM
  chart:
    spec:
      chart: linkerd2
      version: "2.11.2"
      sourceRef:
        kind: HelmRepository
        name: linkerd
        namespace: linkerd
      interval: 1m

source.yaml

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: linkerd
  namespace: linkerd
spec:
  interval: 5m0s
  url: https://helm.linkerd.io/stable

linkerd-trust-anchor.yaml

apiVersion: v1
data:
  tls.crt: base64encoded
  tls.key: base64encoded
kind: Secret
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
type: kubernetes.io/tls

which was created with:

step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure

issuer.yaml

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth

now when it comes the time to reconcile i get this error in the helmrelease

Helm install failed: execution error at (linkerd2/templates/identity.yaml:19:21): Please provide the identity issuer certificate

however doing it manually does work perfectly

helm install linkerd2   \
--set-file identityTrustAnchorsPEM=ca.crt   \
--set identity.issuer.scheme=kubernetes.io/tls   \
--set installNamespace=false   linkerd/linkerd2   \
-n linkerd

It Also work if I have the same setup but without cert manager and certificates declared manually (with a different secret name as linkerd will create it on its own)like this:

valuesFrom:
  - kind: Secret
    name: linkerd-trust-anchor
    valuesKey: tls.crt
    targetPath: identityTrustAnchorsPEM
  - kind: Secret
    name: linkerd-identity-issuer-2
    valuesKey: tls.crt
    targetPath: identity.issuer.tls.crtPEM
  - kind: Secret
    name: linkerd-identity-issuer-2
    valuesKey: tls.key
    targetPath: identity.issuer.tls.keyPEM

Am I missing something?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

倥絔 2025-02-18 04:19:27

问题在这里:

values:
    identity.issuer.scheme: kubernetes.io/tls

应该是:

values:
    identity:
      issuer:
        scheme: kubernetes.io/tls

否则,Helm不会认识到它,Linkerd会认为该模式是Linkerd.io/tls,它与Kubernetes Secret TLS的模式结构不符。

The problem lies here:

values:
    identity.issuer.scheme: kubernetes.io/tls

It should be:

values:
    identity:
      issuer:
        scheme: kubernetes.io/tls

Otherwise, helm wont recognize it and linkerd will think the schema is linkerd.io/tls, which doesn't match the schema structure of kubernetes secret tls.

回复 原文
~没有更多了~

关于作者

夜血缘

暂无简介

文章
评论
1019 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

qq_aHcEbj

文章 0 评论 0

qq_ikhFfg

文章 0 评论 0

寻找我们的幸福

文章 0 评论 0

把昨日还给我

文章 0 评论 0

wj_zym

文章 0 评论 0

巴黎夜雨

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文