我正在尝试为部署在Kubernetes上的spring-cloud-gateway示例配置K8s Ingress,但不知道如何使用有效的SSL证书为其提供服务。
以下是我的入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
acme.cert-manager.io/http01-edit-in-place: "true"
name: demo-bff
namespace: demo-bff
spec:
rules:
- host: bff.demo.c4-soft.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bff-gateway
port:
number: 8080
tls:
- hosts:
- bff.demo.c4-soft.com
secretName: demo-bff-tlsletsencrypt-production群集颁发者成功地从另一个命名空间使用来公开Keycloak。
我相信问题出在我的网关配置中,没有正确路由/授权HTTP-01挑战。有人知道如何使用cert-manager,cluster-issuer和letsencrypt配置spring-cloud-gateway吗?
到目前为止,我尝试了网关配置(除了标准的OAuth2客户端配置):
spring:
cloud:
gateway:
default-filters:
- TokenRelay=
- DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
- SaveSession
routes:
- id: letsencrypt
uri: http://cert-manager-webhook
predicates:
- Path=/.well-known/acme-challenge/**提取物kubectl get services --all-namespaces
cert-manager service/cert-manager-webhook ClusterIP 10.3.8.243 <none> 443/TCP 4d2h
default service/kubernetes ClusterIP 10.3.0.1 <none> 443/TCP 4d2h
demo-bff service/bff-gateway ClusterIP 10.3.49.122 <none> 8080/TCP 175m
ingress-nginx service/ingress-nginx-controller LoadBalancer 10.3.86.83 148.113.158.14 80:30664/TCP,443:31206/TCP 4d2h
ingress-nginx service/ingress-nginx-controller-admission ClusterIP 10.3.31.34 <none> 443/TCP 4d2h
kube-system service/kube-dns ClusterIP 10.3.0.10 <none> 53/UDP,53/TCP,9153/TCP 4d2h
1条答案
按热度按时间bq3bfh9z1#
最后我通过改变两件事让它工作起来:
cert-manager-webhookURI切换为https(服务绑定到端口443,如上所示)/.well-known/acme-challenge/**路径匹配器具有permitAll()in exchanges授权com.c4-soft.springaddons.security属性由另一个Spring Boot starter of mine使用( Packagespring-boot-starter-oauth2-client)。这里报告的属性在http.authorizeExchange(authorizeExchange -> authorizeExchange.pathMatchers(permitAll).permitAll())中使用。