drone.io 在 k8s 上。 letsencrypt 无法提供安全连接
drone.io on k8s. letsencrypt cant provide secure connection
我正在使用 helm 在 gke k8s 上部署 drone.io。如果我关闭 LetsEncrypt,效果会很好。但我真的很想要 https 支持。
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: {{ template "drone_ci.fullname" . }}-external
labels:
name: server
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: LoadBalancer
loadBalancerIP: {{ .Values.droneLoadBalancerIp}}
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8000
- name: https
protocol: TCP
port: 443
targetPort: 443
selector:
name: server
我有另一个端口 9000 的服务,因为只有无人机代理需要它。
我的无人机服务器部署模板如下所示:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "drone_ci_server.fullname" . }}
labels:
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: 1
template:
metadata:
labels:
name: server
app: {{ template "drone_ci.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: server
image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: "DRONE_HOST"
value: {{ .Values.droneHost }}
- name: "DRONE_OPEN"
value: "true"
- name: "DRONE_GITLAB"
value: "true"
- name: DRONE_GITLAB_URL
value: {{ .Values.droneGitlabUrl }}
- name: DRONE_ADMIN
value: {{ .Values.droneAdmin }}
- name: DRONE_GITLAB_CLIENT
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_CLIENT
- name: DRONE_GITLAB_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_SECRET
- name: DRONE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_SECRET
- name: DRONE_LETS_ENCRYPT
value: "true"
volumeMounts:
- mountPath: /var/lib/drone
name: drone-lib-pv-storage
volumes:
- name: drone-lib-pv-storage
persistentVolumeClaim:
claimName: {{ template "drone_ci.fullname" . }}
当 letsEncrypt 为 false 时,我的网站可以正常工作,并且它可以正确地连接到我的 gitlab 实例 url。当 letsEncrypt 为真时:
在 chrome 导航到我的无人机给我 "This site cant provide a secure connection"。 ssllab't test 告诉我:
No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.
查看我的 pod 日志,每次我尝试通过 chrome 访问无人机时,我得到:
http: TLS handshake error from x.x.x.x:53938: acme/autocert: no supported challenge type found
http: TLS handshake error from y.y.y.y:53936: acme/autocert: missing certificate
我的无人机服务器镜像是:
image:
repository: drone/drone
tag: 0.8
pullPolicy: Always
我错过了什么或做错了什么?
我建议您从 LoadBalancer 类型的服务切换到常规类型的服务,而不是通过 Ingress 公开它。将 Ingress 与 kube-lego 耦合,您将获得非常好的支持,可以通过简单的方式轻松公开您想要的任何内容,让我们为使用的域加密集成,即使背后的软件没有内置对 LE 的支持。这实际上是我自己的 drone.io 实例的设置方式。
虽然这可能不是您问题根本原因的答案,可能需要更多调试信息,但它是一个完全可行且经过验证的解决方案:)
至于它自己的错误,从 this code that there is no support in drone for challenges other then tls-sni-01/02 one. Among other issues that might be cluster level, there is also this issue 看来,TLS-SNI 现在被 LE
禁用了
我正在使用 helm 在 gke k8s 上部署 drone.io。如果我关闭 LetsEncrypt,效果会很好。但我真的很想要 https 支持。
这是我的服务:
apiVersion: v1
kind: Service
metadata:
name: {{ template "drone_ci.fullname" . }}-external
labels:
name: server
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: LoadBalancer
loadBalancerIP: {{ .Values.droneLoadBalancerIp}}
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8000
- name: https
protocol: TCP
port: 443
targetPort: 443
selector:
name: server
我有另一个端口 9000 的服务,因为只有无人机代理需要它。
我的无人机服务器部署模板如下所示:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "drone_ci_server.fullname" . }}
labels:
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: 1
template:
metadata:
labels:
name: server
app: {{ template "drone_ci.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: server
image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: "DRONE_HOST"
value: {{ .Values.droneHost }}
- name: "DRONE_OPEN"
value: "true"
- name: "DRONE_GITLAB"
value: "true"
- name: DRONE_GITLAB_URL
value: {{ .Values.droneGitlabUrl }}
- name: DRONE_ADMIN
value: {{ .Values.droneAdmin }}
- name: DRONE_GITLAB_CLIENT
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_CLIENT
- name: DRONE_GITLAB_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_SECRET
- name: DRONE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_SECRET
- name: DRONE_LETS_ENCRYPT
value: "true"
volumeMounts:
- mountPath: /var/lib/drone
name: drone-lib-pv-storage
volumes:
- name: drone-lib-pv-storage
persistentVolumeClaim:
claimName: {{ template "drone_ci.fullname" . }}
当 letsEncrypt 为 false 时,我的网站可以正常工作,并且它可以正确地连接到我的 gitlab 实例 url。当 letsEncrypt 为真时:
在 chrome 导航到我的无人机给我 "This site cant provide a secure connection"。 ssllab't test 告诉我:
No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.
查看我的 pod 日志,每次我尝试通过 chrome 访问无人机时,我得到:
http: TLS handshake error from x.x.x.x:53938: acme/autocert: no supported challenge type found
http: TLS handshake error from y.y.y.y:53936: acme/autocert: missing certificate
我的无人机服务器镜像是:
image:
repository: drone/drone
tag: 0.8
pullPolicy: Always
我错过了什么或做错了什么?
我建议您从 LoadBalancer 类型的服务切换到常规类型的服务,而不是通过 Ingress 公开它。将 Ingress 与 kube-lego 耦合,您将获得非常好的支持,可以通过简单的方式轻松公开您想要的任何内容,让我们为使用的域加密集成,即使背后的软件没有内置对 LE 的支持。这实际上是我自己的 drone.io 实例的设置方式。
虽然这可能不是您问题根本原因的答案,可能需要更多调试信息,但它是一个完全可行且经过验证的解决方案:)
至于它自己的错误,从 this code that there is no support in drone for challenges other then tls-sni-01/02 one. Among other issues that might be cluster level, there is also this issue 看来,TLS-SNI 现在被 LE
禁用了