Kubernetes 上使用 ACME 的 SSL 证书

Question

我一直在关注本教程：https://cert-manager.io/docs/，并且在我安装了我的证书管理器并确保它们使用 kubectl get pods --namespace cert-manager 运行之后，

cert-manager-5597cff495-l5hjs             1/1     Running   0          91m
cert-manager-cainjector-bd5f9c764-xrb2t   1/1     Running   0          91m
cert-manager-webhook-5f57f59fbc-q5rqs     1/1     Running   0          91m

然后我按照本教程https://cert-manager.io/docs/configuration/acme/ 使用 ACME 颁发者配置了我的证书管理器。

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: aidenhsy@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

这是我的完整入口配置文件：

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-srv
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
  rules:
    - host: www.hyhaus.xyz
      http:
        paths:
          - path: /api/?(.*)
            backend:
              serviceName: devback-srv
              servicePort: 4000
          - path: /?(.*)
            backend:
              serviceName: devfront-srv
              servicePort: 3000
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
    service.beta.kubernetes.io/do-loadbalancer-hostname: 'www.hyhaus.xyz'
  labels:
    helm.sh/chart: ingress-nginx-2.0.3
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.32.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: aidenhsy@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

但是，当我浏览我的网站时，浏览器会发出警告：安全证书不受您计算机操作系统的信任。当我查看我的证书时，它显示自分配，这不是我真正想要的。 我在这里做错了吗？

Answer 1

这是nginx ingress controller 提供的证书占位符。当您看到它时，这意味着端点没有其他（专用）证书。

现在发生这种情况的第一个原因是您的Ingress 没有必要的数据。用这个更新它：

metadata:
  annotations:
    # which issuer to use
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls: # placing a host in TLS config indicates that a certificate should be created
  - hosts:
    - example.org
    - www.example.org
    - xyz.example.org
    secretName: myingress-cert # cert-manager will store the created certificate in this secret

入口对象的文档是here。

如果上述方法没有帮助，请尝试documentation 提供的故障排除步骤。根据我的经验，检查CertificateRequest 和Certificate 资源在大多数情况下足以确定问题。

$ kubectl get certificate
$ kubectl describe certificate <certificate-name>
$ kubectl get certificaterequest
$ kubectl describe certificaterequest <CertificateRequest name>

请记住，这些对象是命名空间的，这意味着它们将与 ingress 对象位于同一命名空间中。

Answer 2

为了保护 Ingress，首先您必须将 ClusterIssuer 添加到您的 Ingress 资源中，然后 cert-manager 将选择它并为您创建证书资源。 Kind : ingress metadata: annotations : cert-manager.io/cluster-issuer: nameOfClusterIssuer.

其次，您必须添加tls

第三，您必须添加secretName: myingress