主要更新停止工作后的证书管理器

【问题标题】:cert-manager after major update stopped working主要更新停止工作后的证书管理器
【发布时间】:2020-01-14 21:34:23
【问题描述】:

该问题是在 cert-manager 从 0.6.0 到 0.11.0 版本的重大更新之后开始的。 更新已通过配置备份、cert-manager remove、helm update、cert-manager install 和 backup restore 进行处理。更新期间没有配置更改。

Pod 和服务已启动,但更新后未颁发证书。

cert-manager 服务有日志:

 E0114 04:34:18.126497       1 sync.go:57] cert-manager/controller/ingress-shim "msg"="failed to determine issuer to be used for ingress resource" "error"="failed to determine issuer name to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="ucb-sandbox-ingress" "resource_namespace"="cloud-engagement-sandbox" 
I0114 04:34:18.126791       1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="cloud-engagement-sandbox/ucb-sandbox-ingress" 
I0114 04:34:18.127064       1 controller.go:129] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="cloud-engagement-sandbox/ucf-sandbox-ingress" 
E0114 04:34:18.127294       1 sync.go:57] cert-manager/controller/ingress-shim "msg"="failed to determine issuer to be used for ingress resource" "error"="failed to determine issuer name to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="ucf-sandbox-ingress" "resource_namespace"="cloud-engagement-sandbox" 
I0114 04:34:18.127534       1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="cloud-engagement-sandbox/ucf-sandbox-ingress"

我的 ClusterIssuer yaml:

apiVersion: certmanager.k8s.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [removed]
    privateKeySecretRef:

      name: letsencrypt-prod
    http01: {}

并描述 ClusterIssuerletsencrypt-prod

ClusterIssuer letsencrypt-prod
Name:         letsencrypt-prod
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"creationTimestamp":"2019-02-17T22:42:55Z"...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2019-02-17T22:42:55Z
  Generation:          1
  Resource Version:    53383155
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
  UID:                 5e0c332f-3305-11e9-93cb-069443f5754c
Spec:
  Acme:
    Email:  [removed]
    Http 01:
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/51694394
  Conditions:
    Last Transition Time:  2019-02-17T22:42:57Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

【问题讨论】:

  • 发布你的入口资源

标签: kubernetes cert-manager


【解决方案1】:

apiVersion 已从 certmanager.k8s.io/v1alpha1 更改为 cert-manager.io/v1alpha2。但是您仍然有需要删除的旧 apiVersion 的 CRD。

按照以下步骤升级证书管理器注意 第 3 步和第 4 步。

1.按照backup and restore guide备份现有的cert-manager资源。

2.Uninstall cert-manager

3.确保旧的 cert-manager CRD 资源也已被删除:kubectl get crd | grep certmanager.k8s.io

4.将所有备份资源上的 apiVersion 从 certmanager.k8s.io/v1alpha1 更新为 cert-manager.io/v1alpha2。

5.根据installation guide重新安装cert-manager

这里是官方upgrade guide

【讨论】:

    【解决方案2】:

    已排序。罪魁祸首是 1)不完整的 cert-manager 安装。 2)我还修改了备份并将所有 certmanager.k8s.io 替换为 cert-manager.io 并将 v1alpha1 替换为 v1alpha2。 3) 手动删除其他与certmanager.k8s.io相关的CRDs

    【讨论】:

      【解决方案3】:

      感谢您的回复。 我在 helm purge cert-manager 之后删除了旧的 CRD,并使用清单安装了新的 0.12 版本。 下面是我当前的 CRD:

      kubectl get crd 
NAME                                    CREATED AT
certificaterequests.cert-manager.io     2019-11-01T01:37:03Z
certificates.cert-manager.io            2019-11-01T01:37:03Z
challenges.acme.cert-manager.io         2019-11-01T01:37:03Z
challenges.certmanager.k8s.io           2020-01-15T05:31:48Z
clusterissuers.cert-manager.io          2019-11-01T01:37:03Z
healthstates.azmon.container.insights   2019-08-29T10:13:59Z
issuers.cert-manager.io                 2019-11-01T01:37:03Z
orders.acme.cert-manager.io             2019-11-01T01:37:03Z
orders.certmanager.k8s.io               2020-01-15T05:31:49Z

      并更新了 ClusterIssuer 的描述

      kubectl describe ClusterIssuer letsencrypt-prod
Name:         letsencrypt-prod
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1alpha2
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2020-01-15T05:38:32Z
  Generation:          1
  Resource Version:    71299934
  Self Link:           /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-prod
  UID:                 4465c9ce-3759-11ea-be9c-0a7022c023e8
Spec:
  Acme:
    Email:  
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      Http 01:
        Ingress:
          Class:  nginx
      Selector:
Events:  <none>

      我在 cert-manager 命名空间下没有入口。此外,我的备份包括旧证书、CRD、颁发者、证书和证书请求等,但我不知道如何恢复所需的内容。

      【讨论】:

        猜你喜欢
        • 2014-06-19
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2016-11-03
        • 1970-01-01
        • 1970-01-01
        • 2021-01-05
        • 1970-01-01
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode