让我们加密kubernetes入口控制器发出的假证书

dvtswwa3  于 2023-02-15  发布在  Kubernetes
关注(0)|答案(9)|浏览(136)

不确定为什么我得到了假证书,即使证书是由Let 's Encrypt使用certmanager正确颁发的

该设置在阿里云ECS控制台上运行,其中一个Kube-master和一个cube-minion组成一个Kubernetes集群。

服务详细信息

root@kube-master:~# kubectl get svc 
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP   3h20m
my-nginx     ClusterIP   10.101.150.247   <none>        80/TCP    77m

Pod详细信息

root@kube-master:~# kubectl get pods --show-labels
NAME                        READY   STATUS    RESTARTS   AGE   LABELS
my-nginx-6cc48cd8db-n6scm   1/1     Running   0          46s   app=my-nginx,pod-template-hash=6cc48cd8db

已部署Helm证书管理器

root@kube-master:~# helm ls 
NAME            REVISION    UPDATED                     STATUS      CHART               APP VERSION NAMESPACE  
cert-manager    1           Tue Mar 12 15:29:21 2019    DEPLOYED    cert-manager-v0.5.2 v0.5.2      kube-system
kindred-garfish 1           Tue Mar 12 17:03:41 2019    DEPLOYED    nginx-ingress-1.3.1 0.22.0      kube-system

正确颁发证书

root@kube-master:~# kubectl describe certs 
Name:         tls-prod-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-12T10:26:58Z
  Generation:          2
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  nginx-ingress-prod
    UID:                   5ab11929-44b1-11e9-b431-00163e005d19
  Resource Version:        17687
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tls-prod-cert
  UID:                     5dad4740-44b1-11e9-b431-00163e005d19
Spec:
  Acme:
    Config:
      Domains:
        zariga.com
      Http 01:
        Ingress:        
        Ingress Class:  nginx
  Dns Names:
    zariga.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  tls-prod-cert
Status:
  Acme:
    Order:
      URL:  https://acme-v02.api.letsencrypt.org/acme/order/53135536/352104603
  Conditions:
    Last Transition Time:  2019-03-12T10:27:00Z
    Message:               Order validated
    Reason:                OrderValidated
    Status:                False
    Type:                  ValidateFailed
    Last Transition Time:  <nil>
    Message:               Certificate issued successfully
    Reason:                CertIssued
    Status:                True
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  CreateOrder   27s   cert-manager  Created new ACME order, attempting validation...
  Normal  IssueCert     27s   cert-manager  Issuing certificate...
  Normal  CertObtained  25s   cert-manager  Obtained certificate from ACME server
  Normal  CertIssued    25s   cert-manager  Certificate issued successfully

入口详细信息

root@kube-master:~# kubectl describe ingress
Name:             nginx-ingress-prod
Namespace:        default
Address:          
Default backend:  my-nginx:80 (192.168.123.202:80)
TLS:
  tls-prod-cert terminates zariga.com
Rules:
  Host  Path  Backends
  ----  ----  --------
  *     *     my-nginx:80 (192.168.123.202:80)
Annotations:
  kubernetes.io/ingress.class:        nginx
  kubernetes.io/tls-acme:             true
  certmanager.k8s.io/cluster-issuer:  letsencrypt-prod
Events:
  Type    Reason             Age    From                      Message
  ----    ------             ----   ----                      -------
  Normal  CREATE             7m13s  nginx-ingress-controller  Ingress default/nginx-ingress-prod
  Normal  CreateCertificate  7m8s   cert-manager              Successfully created Certificate "tls-prod-cert"
  Normal  UPDATE             6m57s  nginx-ingress-controller  Ingress default/nginx-ingress-prod

Letsencrypt Nginx生产定义

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress-prod
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: 'true'
  labels:
    app: 'my-nginx'
spec:
  backend:
    serviceName: my-nginx
    servicePort: 80
  tls:
  - secretName: tls-prod-cert
    hosts:
    - zariga.com
wf82jlnq

wf82jlnq1#

也许对遇到类似问题的人会有帮助。对我来说,A忘记在Ingress yaml文件中为rulestls部分指定主机名。复制主机名后,它开始用正确的证书响应。
示例:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-web-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
  - hosts:
    - my.host.com                # <----
    secretName: tls-secret
  rules:
    - host: my.host.com          # <----
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              serviceName: my-nginx
              servicePort: 80
6tqwzwtp

6tqwzwtp2#

有时,如果您使用群集服务器URL作为临时URL,则可能会发生这种情况。
检查在issuer.yaml或clusterissuer.yaml中设置的letsencrypt URL并将其更改为生产URL:https://acme-v02.api.letsencrypt.org/directory
我曾经遇到过同样的问题,把网址改为生产网址就解决了。
还要检查您使用的入口tls密码是否正确。
对于生产,实际的集群发布者应类似于:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: dev-clusterissuer
spec:
  acme:
    email: harsh@example.com
    privateKeySecretRef:
      name: dev-clusterissuer
    server: https://acme-v02.api.letsencrypt.org/directory       # <----check this server URL it is for Prod and use this only
    solvers:
    - http01:
        ingress:
          class: nginx

如果使用服务器:https://acme-staging-v02.api.letsencrypt.org/directory您将面临问题,最好将其替换为服务器:https://acme-v02.api.letsencrypt.org/directory

6ljaweal

6ljaweal3#

如果您确信一切都设置正确,但仍然无法正常工作,请尝试以下操作。
编辑你的nginx控制器的部署。为什么?因为,如果它没有在它部署的名字空间中找到秘密,Nginx控制器部署它自己的证书(假证书)。不知道这一点(我是游戏新手)花费了我几天的生命。
因此,要么更改Nginx Ingress控制器所在的名称空间并获取部署的名称,然后:

kubectl edit deployment nginx-ingress-ingress-nginx-controller -n nginx-ingress

或者,如果在该命名空间中只有一个部署,则可以执行以下操作

kubectl edit deployment

您应该处于nginx控制器部署的编辑模式下。规格--〉容器:--〉参数:

spec:
  containers:
  - args:
    - /nginx-ingress-controller
    - --publish-service=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller
    - --election-id=ingress-controller-leader
    - --ingress-class=nginx
    - --configmap=$(POD_NAMESPACE)/nginx-ingress-ingress-nginx-controller
    - --validating-webhook=:8443
    - --validating-webhook-certificate=/usr/local/certificates/cert
    - --validating-webhook-key=/usr/local/certificates/key
    - --default-ssl-certificate=app-namespace/letsencrypt-cert-prod

如果nginx控制器没有找到证书,您可以添加一个默认证书(如我上面所做的),这样它将通过添加以下内容在名称空间中搜索密钥:

--default-ssl-certificate=your-cert-namespace/your-cert-secret

您的证书名称空间:证书密码为your-cert-secret的命名空间:包含机密的证书的名称

保存并关闭编辑器后,它应该会被更新。然后检查证书管理器pod的日志:

kubectl logs cert-manager-xxxpodxx-abcdef -n cert-manager

以确保一切正常。
如果所有资源都部署在同一个名称空间中,则可能不会遇到这个问题。

fivyi3re

fivyi3re4#

需要注意的是,ClusterIssuer的求解器规范发生了变化。对于使用cer-manager>0.7.2的人来说,这条评论节省了我很多时间:https://github.com/jetstack/cert-manager/issues/1650#issuecomment-518953464。特别是关于如何配置ClusterIssuer和证书。

lyr7nygr

lyr7nygr5#

在我的例子中,问题是在错误的端口访问域,我的默认https端口不是443,而是4443

new9mtju

new9mtju6#

对我来说,问题是我忘记了kubectl apply这个秘密(在我的例子中是'tls-secret.yml')。当手动部署K8S时,这样的错误很少发生。但是,我使用gitlab CICD部署应用程序时,我忘记了将- kubectl apply -f ./kube/secret添加到我的.gitlab-ci.yml

q7solyqu

q7solyqu7#

在我的例子中,我在入口规则中输入了错误的tls秘密名称。
我键入的不是secretName: my-homepage-tls而是secretName: myy-homepage-tls

fquxozlt

fquxozlt8#

对我来说,问题是入口类名,因为我使用的是microk8s,入口类名是public

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: "your@email.tld"
    privateKeySecretRef:
      name: letsencrypt-prod
    server: "https://acme-v02.api.letsencrypt.org/directory"
    solvers:
      - http01:
         ingress:
           class: public
qnakjoqk

qnakjoqk9#

今天我遇到了这种情况,我在同一个名称空间中有两个入口,并使用letsencrypt-prod作为两个入口的密码名称。一个成功了,另一个失败了。密码是自动生成的,需要一个唯一的名称以避免冲突

相关问题