如何在裸机集群上使用证书管理器在 Kubernetes 中自动更新 Let's Encrypt 证书?
How to automate Let's Encrypt certificate renewal in Kubernetes with cert-manager on a bare-metal cluster?
我想访问我的 Kubernetes 裸机集群,该集群带有用于 TLS 终止的暴露的 Nginx Ingress Controller。为了能够自动更新证书,我想使用 Kubernetes 插件 cert-manager,它是 kube-lego 的继任者。
到目前为止我做了什么:
使用 kubeadm 在裸机上设置 Kubernetes (v1.9.3) 集群(1 master,1 minion,运行 Ubuntu 16.04.4 LTS)和flannel 作为 pod 网络跟随 guide.
已安装nginx-ingress (chart version 0.9.5) with Kubernetes package manager helm
helm install --name nginx-ingress --namespace kube-system stable/nginx-ingress --set controller.hostNetwork=true,rbac.create=true,controller.service.type=ClusterIP
已安装 cert-manager(图表版本 0.2.2)与 helm
helm install --name cert-manager --namespace kube-system stable/cert-manager --set rbac.create=true
当我使用 Ingress 资源进行测试时,Ingress Controller 已成功公开并按预期工作。为了使 Let's Encrypt 证书管理正确并使用 cert-manager 自动续订,我首先需要一个 Issuer 资源。我从这个 acme-staging-issuer.yaml:
创建了它
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging.api.letsencrypt.org/directory
email: email@example.com
privateKeySecretRef:
name: letsencrypt-staging
http01: {}
kubectl create -f acme-staging-issuer.yaml 运行成功但是 kubectl describe issuer/letsencrypt-staging 给了我:
Status:
Acme:
Uri:
Conditions:
Last Transition Time: 2018-03-05T21:29:41Z
Message: Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
Reason: ErrRegisterACMEAccount
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrVerifyACMEAccount 1s (x11 over 7s) cert-manager-controller Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
Warning ErrInitIssuer 1s (x11 over 7s) cert-manager-controller Error initializing issuer: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
没有现成的颁发者,我无法继续生成 cert-manager 证书或使用 ingress-shim(用于自动更新)。
我的设置中缺少什么?使用 hostNetwork=true 公开入口控制器是否足够,或者是否有更好的方法在裸机集群上公开其端口 80 和 443?如何解决 tls: oversized record received error when creating a cert-manager Issuer resource?
tls:收到超大记录 错误是由 Kubernetes minion /etc/resolv.conf 配置错误引起的。可以通过像这样编辑它来解决:
$ sudo vi /etc/resolvconf/resolv.conf.d/base
添加名称服务器列表:
nameserver 8.8.8.8
nameserver 8.8.4.4
更新resolvconf:
$ sudo resolvconf -u
我想访问我的 Kubernetes 裸机集群,该集群带有用于 TLS 终止的暴露的 Nginx Ingress Controller。为了能够自动更新证书,我想使用 Kubernetes 插件 cert-manager,它是 kube-lego 的继任者。
到目前为止我做了什么:
使用 kubeadm 在裸机上设置 Kubernetes (v1.9.3) 集群(1 master,1 minion,运行 Ubuntu 16.04.4 LTS)和flannel 作为 pod 网络跟随 guide.
已安装nginx-ingress (chart version 0.9.5) with Kubernetes package manager helm
helm install --name nginx-ingress --namespace kube-system stable/nginx-ingress --set controller.hostNetwork=true,rbac.create=true,controller.service.type=ClusterIP已安装 cert-manager(图表版本 0.2.2)与 helm
helm install --name cert-manager --namespace kube-system stable/cert-manager --set rbac.create=true
当我使用 Ingress 资源进行测试时,Ingress Controller 已成功公开并按预期工作。为了使 Let's Encrypt 证书管理正确并使用 cert-manager 自动续订,我首先需要一个 Issuer 资源。我从这个 acme-staging-issuer.yaml:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging.api.letsencrypt.org/directory
email: email@example.com
privateKeySecretRef:
name: letsencrypt-staging
http01: {}
kubectl create -f acme-staging-issuer.yaml 运行成功但是 kubectl describe issuer/letsencrypt-staging 给了我:
Status:
Acme:
Uri:
Conditions:
Last Transition Time: 2018-03-05T21:29:41Z
Message: Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
Reason: ErrRegisterACMEAccount
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrVerifyACMEAccount 1s (x11 over 7s) cert-manager-controller Failed to verify ACME account: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
Warning ErrInitIssuer 1s (x11 over 7s) cert-manager-controller Error initializing issuer: Get https://acme-staging.api.letsencrypt.org/directory: tls: oversized record received with length 20291
没有现成的颁发者,我无法继续生成 cert-manager 证书或使用 ingress-shim(用于自动更新)。
我的设置中缺少什么?使用 hostNetwork=true 公开入口控制器是否足够,或者是否有更好的方法在裸机集群上公开其端口 80 和 443?如何解决 tls: oversized record received error when creating a cert-manager Issuer resource?
tls:收到超大记录 错误是由 Kubernetes minion /etc/resolv.conf 配置错误引起的。可以通过像这样编辑它来解决:
$ sudo vi /etc/resolvconf/resolv.conf.d/base
添加名称服务器列表:
nameserver 8.8.8.8
nameserver 8.8.4.4
更新resolvconf:
$ sudo resolvconf -u