主要更新后的证书管理器停止工作
cert-manager after major update stopped working
这个问题是在 cert-manager 从 0.6.0 版本重大更新到 0.11.0 版本后出现的。
更新已通过配置备份、cert-manager 删除、helm 更新、cert-manager 安装和备份恢复进行处理。更新期间没有配置更改。
Pod 和服务已启动,但更新后未颁发证书。
有证书管理器服务的日志:
E0114 04:34:18.126497 1 sync.go:57] cert-manager/controller/ingress-shim "msg"="failed to determine issuer to be used for ingress resource" "error"="failed to determine issuer name to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="ucb-sandbox-ingress" "resource_namespace"="cloud-engagement-sandbox"
I0114 04:34:18.126791 1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="cloud-engagement-sandbox/ucb-sandbox-ingress"
I0114 04:34:18.127064 1 controller.go:129] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="cloud-engagement-sandbox/ucf-sandbox-ingress"
E0114 04:34:18.127294 1 sync.go:57] cert-manager/controller/ingress-shim "msg"="failed to determine issuer to be used for ingress resource" "error"="failed to determine issuer name to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="ucf-sandbox-ingress" "resource_namespace"="cloud-engagement-sandbox"
I0114 04:34:18.127534 1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="cloud-engagement-sandbox/ucf-sandbox-ingress"
我的 ClusterIssuer yaml:
apiVersion: certmanager.k8s.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [removed]
privateKeySecretRef:
name: letsencrypt-prod
http01: {}
并描述 ClusterIssuer letsencrypt-prod
ClusterIssuer letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"creationTimestamp":"2019-02-17T22:42:55Z"...
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-02-17T22:42:55Z
Generation: 1
Resource Version: 53383155
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
UID: 5e0c332f-3305-11e9-93cb-069443f5754c
Spec:
Acme:
Email: [removed]
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/51694394
Conditions:
Last Transition Time: 2019-02-17T22:42:57Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
apiVersion 已从 certmanager.k8s.io/v1alpha1
更改为 cert-manager.io/v1alpha2
。但是您仍然有 CRD 和旧的 apiVersion,您需要将其删除。
按照以下步骤升级证书管理器注意
第 3 步和第 4 步。
1.Back 根据 backup and restore guide.
现有的证书管理器资源
3.Ensure旧的cert-manager CRD资源也被删除了:kubectl get crd | grep certmanager.k8s.io
4.Update 从 certmanager.k8s.io/v1alpha1 到 cert-manager.io/v1alpha2.
所有备份资源的 apiVersion
5.Re-根据installation guide
从头开始安装cert-manager
这里是官方upgrade guide
感谢回复。
我在 helm purge cert-manager 之后删除了旧的 CRD,并使用清单安装了新版本 0.12。
我当前的 CRD 如下:
kubectl get crd
NAME CREATED AT
certificaterequests.cert-manager.io 2019-11-01T01:37:03Z
certificates.cert-manager.io 2019-11-01T01:37:03Z
challenges.acme.cert-manager.io 2019-11-01T01:37:03Z
challenges.certmanager.k8s.io 2020-01-15T05:31:48Z
clusterissuers.cert-manager.io 2019-11-01T01:37:03Z
healthstates.azmon.container.insights 2019-08-29T10:13:59Z
issuers.cert-manager.io 2019-11-01T01:37:03Z
orders.acme.cert-manager.io 2019-11-01T01:37:03Z
orders.certmanager.k8s.io 2020-01-15T05:31:49Z
并更新了 ClusterIssuer 的描述
kubectl describe ClusterIssuer letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2020-01-15T05:38:32Z
Generation: 1
Resource Version: 71299934
Self Link: /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-prod
UID: 4465c9ce-3759-11ea-be9c-0a7022c023e8
Spec:
Acme:
Email:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
Http 01:
Ingress:
Class: nginx
Selector:
Events: <none>
我在 cert-manager 命名空间下没有入口。此外,我的备份包括旧证书、CRD、颁发者、证书和证书请求等,但我不知道如何恢复所需的内容。
已排序。罪魁祸首是 1) 证书管理器安装不完整。
2) 我还修改了备份并将所有 certmanager.k8s.io 替换为 cert-manager.io 并将 v1alpha1 替换为 v1alpha2。
3) 手动删除其他与certmanager.k8s.io CRDs
相关的
这个问题是在 cert-manager 从 0.6.0 版本重大更新到 0.11.0 版本后出现的。 更新已通过配置备份、cert-manager 删除、helm 更新、cert-manager 安装和备份恢复进行处理。更新期间没有配置更改。
Pod 和服务已启动,但更新后未颁发证书。
有证书管理器服务的日志:
E0114 04:34:18.126497 1 sync.go:57] cert-manager/controller/ingress-shim "msg"="failed to determine issuer to be used for ingress resource" "error"="failed to determine issuer name to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="ucb-sandbox-ingress" "resource_namespace"="cloud-engagement-sandbox"
I0114 04:34:18.126791 1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="cloud-engagement-sandbox/ucb-sandbox-ingress"
I0114 04:34:18.127064 1 controller.go:129] cert-manager/controller/ingress-shim "level"=0 "msg"="syncing item" "key"="cloud-engagement-sandbox/ucf-sandbox-ingress"
E0114 04:34:18.127294 1 sync.go:57] cert-manager/controller/ingress-shim "msg"="failed to determine issuer to be used for ingress resource" "error"="failed to determine issuer name to be used for ingress resource" "resource_kind"="Ingress" "resource_name"="ucf-sandbox-ingress" "resource_namespace"="cloud-engagement-sandbox"
I0114 04:34:18.127534 1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="cloud-engagement-sandbox/ucf-sandbox-ingress"
我的 ClusterIssuer yaml:
apiVersion: certmanager.k8s.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [removed]
privateKeySecretRef:
name: letsencrypt-prod
http01: {}
并描述 ClusterIssuer letsencrypt-prod
ClusterIssuer letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"creationTimestamp":"2019-02-17T22:42:55Z"...
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-02-17T22:42:55Z
Generation: 1
Resource Version: 53383155
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
UID: 5e0c332f-3305-11e9-93cb-069443f5754c
Spec:
Acme:
Email: [removed]
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/51694394
Conditions:
Last Transition Time: 2019-02-17T22:42:57Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
apiVersion 已从 certmanager.k8s.io/v1alpha1
更改为 cert-manager.io/v1alpha2
。但是您仍然有 CRD 和旧的 apiVersion,您需要将其删除。
按照以下步骤升级证书管理器注意 第 3 步和第 4 步。
1.Back 根据 backup and restore guide.
现有的证书管理器资源3.Ensure旧的cert-manager CRD资源也被删除了:kubectl get crd | grep certmanager.k8s.io
4.Update 从 certmanager.k8s.io/v1alpha1 到 cert-manager.io/v1alpha2.
所有备份资源的 apiVersion5.Re-根据installation guide
从头开始安装cert-manager这里是官方upgrade guide
感谢回复。 我在 helm purge cert-manager 之后删除了旧的 CRD,并使用清单安装了新版本 0.12。 我当前的 CRD 如下:
kubectl get crd
NAME CREATED AT
certificaterequests.cert-manager.io 2019-11-01T01:37:03Z
certificates.cert-manager.io 2019-11-01T01:37:03Z
challenges.acme.cert-manager.io 2019-11-01T01:37:03Z
challenges.certmanager.k8s.io 2020-01-15T05:31:48Z
clusterissuers.cert-manager.io 2019-11-01T01:37:03Z
healthstates.azmon.container.insights 2019-08-29T10:13:59Z
issuers.cert-manager.io 2019-11-01T01:37:03Z
orders.acme.cert-manager.io 2019-11-01T01:37:03Z
orders.certmanager.k8s.io 2020-01-15T05:31:49Z
并更新了 ClusterIssuer 的描述
kubectl describe ClusterIssuer letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha2
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2020-01-15T05:38:32Z
Generation: 1
Resource Version: 71299934
Self Link: /apis/cert-manager.io/v1alpha2/clusterissuers/letsencrypt-prod
UID: 4465c9ce-3759-11ea-be9c-0a7022c023e8
Spec:
Acme:
Email:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
Http 01:
Ingress:
Class: nginx
Selector:
Events: <none>
我在 cert-manager 命名空间下没有入口。此外,我的备份包括旧证书、CRD、颁发者、证书和证书请求等,但我不知道如何恢复所需的内容。
已排序。罪魁祸首是 1) 证书管理器安装不完整。 2) 我还修改了备份并将所有 certmanager.k8s.io 替换为 cert-manager.io 并将 v1alpha1 替换为 v1alpha2。 3) 手动删除其他与certmanager.k8s.io CRDs
相关的