【发布时间】:2020-10-12 22:58:30
【问题描述】:
使用 Istio 的 GKE 集群中的部署通过 HTTP 正常工作。但是当我尝试使用具有以下资源的 cert-manager 来保护它时,HTTPS 请求会像 curl 一样失败
`Immediate connect fail for 64:ff9b::2247:fd8a: Network is unreachable
* connect to 34.71.253.138 port 443 failed: Connection refused`.
我应该怎么做才能使它也可以与 HTTPS 一起使用。
具有以下配置的ClusterIssuer
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: istio-system
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: iprocureservers@iprocu.re
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
# ACME DNS-01 provider configurations
- dns01:
# Google Cloud DNS
clouddns:
# Secret from the google service account key
serviceAccountSecretRef:
name: cert-manager-credentials
key: gcp-dns-admin.json
# The project in which to update the DNS zone
project: iprocure-server
这样的证书配置,使证书处于 Ready:True 状态
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
name: letsencrypt-staging
namespace: istio-system
spec:
secretName: letsencrypt-staging
commonName: "*.iprocure.tk"
dnsNames:
- '*.iprocure.tk'
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
最后是网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: iprocure-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: false
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: letsencrypt-staging
如果我愿意,kubectl describe certificate -n istio-system
Name: letsencrypt-staging
Namespace: istio-system
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2020-10-13T13:32:37Z
Generation: 1
Resource Version: 28030994
Self Link: /apis/cert-manager.io/v1/namespaces/istio-system/certificates/letsencrypt-staging
UID: ad838d28-5349-4aaa-a618-cc3bfc316e6e
Spec:
Common Name: *.iprocure.tk
Dns Names:
*.iprocure.tk
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-staging-clusterissuer
Secret Name: letsencrypt-staging-cert-secret
Status:
Conditions:
Last Transition Time: 2020-10-13T13:35:05Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2021-01-11T12:35:05Z
Not Before: 2020-10-13T12:35:05Z
Renewal Time: 2020-12-12T12:35:05Z
Revision: 1
Events: <none>
运行kubectl get certificates -o wide -n istio-system,产生
NAME READY SECRET ISSUER STATUS AGE
letsencrypt-staging True letsencrypt-staging-cert-secret letsencrypt-staging-clusterissuer Certificate is up to date and has not expired 17h
【问题讨论】:
-
如提到的here、
my.example.com # This should match a DNS name in the Certificate。您能否尝试将网关中的主机从*更改为'*.iprocure.tk'并检查它是否有效? -
@Jakub 谢谢你的回复。我做了您要求的更改,删除了证书和网关,然后重新应用它们,但没有更改。
http://staging.iprocure.tk没有 https 工作,但是当我做https://staging.iprocure.tk它说This site can’t be reachedstaging.iprocure.tk refused to connect. -
1.您能否将
kubectl describe certificate -n istio-system或kubectl get certificates -n istio-system -o wide的输出添加到您的问题中? 2.你能检查一下如果你运行kubectl get pods --all-namespaces,是否有多个cert-manager pods? 3.istio版本是多少? -
@Jakub,我已按照您的要求添加了
kubectl describe certificate -n istio-system的输出。 -
关于运行
kubectl get pods --all-namespaces,是的,它运行并显示所有命名空间中的 pod 列表
标签: https google-kubernetes-engine kubernetes-ingress istio cert-manager