【发布时间】:2024-01-23 14:26:01
【问题描述】:
我让它在我已经设置的一个站点应用程序上运行,现在我只是想为另一个命名空间中的不同站点/域复制完全相同的东西。
所以 staging.correct.com 是我的工作 https 域
和 staging.example.com 是我不工作的 https 域(http 工作 - 只是不是 https)
当我执行以下操作时,它会显示 3 个证书,一个正确的工作证书,然后是 example.com 的 2 个证书,而它应该只有一个证书:
kubectl 获取 -A 证书
correct staging-correct-com True staging-correct-com-tls 10d
example staging-example-com False staging-example-com-tls 16h
example staging-example-website-com False staging-example-com-tls 17h
当我这样做时: kubectl get -A 证书请求 它显示了示例的 2 个证书请求
example staging-example-com-nl46v False 15h
example staging-example-website-com-plhqb False 15h
当我这样做时: kubectl 获取 ingressroute -A
NAMESPACE NAME AGE
correct correct-ingress-route 10d
correct correct-secure-ingress-route 6d22h
kube-system traefik-dashboard 26d
example example-website-ingress-route 15h
example example-website-secure-ingress-route 15h
routing dashboard 29d
routing traefik-dashboard 6d21h
当我这样做时: kubectl get secrets -A(只显示相关的)
correct default-token-bphcm kubernetes.io/service-account-token
correct staging-correct-com-tls kubernetes.io/tls
example default-token-wx9tx kubernetes.io/service-account-token
example staging-example-com-tls Opaque
example staging-example-com-wf224 Opaque
example staging-example-website-com-rzrvw Opaque
来自证书管理器 pod 的日志:
1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "msg"="找到一个现有的 HTTP01 求解器入口" "dnsName"="staging.example.com" "related_resource_kind "="Ingress" "related_resource_name"="cm-acme-http-solver-bqjsj" "related_resource_namespace"="example" "related_resource_version"="v1beta1" "resource_kind"="Challenge" "resource_name"="staging-example- com-ltjl6-1661100417-771202110" "resource_namespace"="example" "resource_version"="v1" "type"="HTTP-01"
当我这样做时: kubectl 获得挑战 -A
example staging-example-com-nl46v-1661100417-2848337980 staging.example.com 15h
example staging-example-website-com-plhqb-26564845-3987262508 pending staging.example.com
当我这样做时:kubectl get order -A
NAMESPACE NAME STATE AGE
example staging-example-com-nl46v-1661100417 pending 17h
example staging-example-website-com-plhqb-26564845 pending 17h
我的 yml 文件:
我的入口路线:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- web
routes:
- match: Host(`staging.example.com`)
middlewares:
- name: https-only
kind: Rule
services:
- name: example-website
namespace: example
port: 80
我的发行人:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example-issuer-staging
namespace: example
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: example@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: staging-example-com-tls
# Enable the HTTP-01 challenge provider
solvers:
# An empty 'selector' means that this solver matches all domains
- http01:
ingress:
class: traefik
我的中间件:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
namespace: example
spec:
redirectScheme:
scheme: https
permanent: true
我的安全入口路径:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: example
name: example-website-secure-ingress-route
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: example-issuer-staging
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.frontend.redirect.entryPoint: https
spec:
entryPoints:
- websecure
routes:
- match: Host(`staging.example.com`)
kind: Rule
services:
- name: example-website
namespace: example
port: 80
tls:
domains:
- main: staging.example.com
options:
namespace: example
secretName: staging-example-com-tls
我的服务:
apiVersion: v1
kind: Service
metadata:
namespace: example
name: 'example-website'
spec:
type: ClusterIP
ports:
- protocol: TCP
name: http
port: 80
targetPort: 80
- protocol: TCP
name: https
port: 443
targetPort: 80
selector:
app: 'example-website'
我的求解器:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: staging-example-com
namespace: example
spec:
secretName: staging-example-com-tls
issuerRef:
name: example-issuer-staging
kind: Issuer
commonName: staging.example.com
dnsNames:
- staging.example.com
我的应用:
apiVersion: apps/v1
kind: ReplicaSet
metadata:
namespace: example
name: 'example-website'
labels:
app: 'example-website'
tier: 'frontend'
spec:
replicas: 1
selector:
matchLabels:
app: 'example-website'
template:
metadata:
labels:
app: 'example-website'
spec:
containers:
- name: example-website-container
image: richarvey/nginx-php-fpm:1.10.3
imagePullPolicy: Always
env:
- name: SSH_KEY
value: 'secret'
- name: GIT_REPO
value: 'url of source code for site'
- name: GIT_EMAIL
value: 'example@example.com'
- name: GIT_NAME
value: 'example'
ports:
- containerPort: 80
如何删除示例命名空间中的所有这些机密、订单、证书和内容,然后重试? cert-manager 是否允许您在不连续重新启动它们的情况下执行此操作?
编辑:
我删除了命名空间并重新部署,然后:
kubectl 描述证书 staging-example-com -n 示例
Spec:
Common Name: staging.example.com
Dns Names:
staging.example.com
Issuer Ref:
Kind: Issuer
Name: example-issuer-staging
Secret Name: staging-example-com-tls
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:06Z
Message: Issuing certificate as Secret does not contain a certificate
Reason: MissingData
Status: False
Type: Ready
Last Transition Time: 2020-09-26T21:25:07Z
Message: Issuing certificate as Secret does not exist
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: staging-example-com-gnbl4
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 3m10s cert-manager Issuing certificate as Secret does not exist
Normal Reused 3m10s cert-manager Reusing private key stored in existing Secret resource "staging-example-com-tls"
Normal Requested 3m9s cert-manager Created new CertificateRequest resource "staging-example-com-qrtfx"
然后我做了:
kubectl 描述 certificaterequest staging-example-com-qrtfx -n 示例
Status:
Conditions:
Last Transition Time: 2020-09-26T21:25:10Z
Message: Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 8m17s cert-manager Created Order resource example/staging-example-com-qrtfx-1661100417
Normal OrderPending 8m17s cert-manager Waiting on certificate issuance from order example/staging-example-com-qrtfx-1661100417: ""
所以我做到了:
kubectl 描述挑战 staging-example-com-qrtfx-1661100417 -n 示例
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 11m cert-manager Challenge scheduled for processing
Normal Presented 11m cert-manager Presented challenge using HTTP-01 challenge mechanism
【问题讨论】:
-
您是否可以改为进行 dns 挑战?使用起来要容易得多。
-
我可以,但我让它在我的另一个域上工作,并带有 HTTP 挑战,我希望保持一致。你知道我如何删除示例命名空间的所有这些挑战,以便我可以重新尝试吗?还是我必须卸载我的 helm cert-manager chart 并重新安装?
-
嗯,每个请求都存在于接收端,所以没什么可做的! :) 但是您可以创建一个新的 CertManager
Issuer并使用能够解析的 DNS 密码。所以,忽略你的所作所为,开始新的 DNS 挑战 :) -
如果可能的话,我想让它与 http 一起工作。我做了 kubectl get secrets —all-namespaces: correct default-token-bphcm kubernetes.io/service-account-token correct staging-correct-com-tls kubernetes.io/tls while: example default-token-wx9tx kubernetes.io/ service-account-token 3 23h example staging-example-com-tls Opaque 将机密显示为不透明?当我的另一个工作显示不同时
-
我发现一个错误提示:等待 HTTP-01 质询传播:错误状态代码 '404',预期为 '200'
标签: kubernetes ssl-certificate traefik cert-manager