使用 DigitalOcean 为我的 Nginx-Ingress 在 Kubernetes 集群上生成通配符证书
Generate wildcard certificate on Kubernetes cluster with DigitalOcean for my Nginx-Ingress
我遵循了这个 DigitalOcean 指南 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes,我遇到了一些很奇怪的事情。当我在主机名中设置通配符时,letsencrypt 无法颁发新证书。而当我只设置定义的子域时,它就完美地工作了。
这是我的域及其 api 的“工作”配置(并且这个工作完美):
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- api.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
相反,这是我要颁发的通配符证书,但没有成功,留下了“Issuing”消息。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- *.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
唯一不同的是主机的第二行。有没有我不知道的微不足道的众所周知的解决方案?我是 Kubernetes 的新手,但不是 DevOps。
使用 cert-manager (letsencrypt) 生成通配符证书需要使用 DNS-01 质询而不是 HTTP-01 used in the link from the question:
Does Let’s Encrypt issue wildcard certificates?
Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
有一份关于使用 cert-manager:
生成 wildcard 证书的文档
从DigialOcean的角度来看,有专门针对它的指南:
This provider uses a Kubernetes Secret resource to work. In the following
example, the Secret will have to be named digitalocean-dns and have a
sub-key access-token with the token in it. For example:
apiVersion: v1
kind: Secret
metadata:
name: digitalocean-dns
namespace: cert-manager
data:
# insert your DO access token here
access-token: "base64 encoded access-token here"
The access token must have write access.
To create a Personal Access Token, see DigitalOcean documentation.
Handy direct link: https://cloud.digitalocean.com/account/api/tokens/new
To encode your access token into base64, you can use the following
echo -n 'your-access-token' | base64 -w 0
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example-issuer
spec:
acme:
...
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
-- Cert-manager.io: Docs: Configuration: ACME: DNS-01: Digitalocean
我认为这些额外的资源也可以提供帮助:
通配符证书需要 DNS-01 方法
注意:您可能需要先在您的 DNS 中添加 CAA 记录。
CAA 记录可以添加到 DNS 区域
示例 :
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
从以下位置获取详细信息:https://sslmate.com/caa/
首先,您必须使用命令
创建用于存储 access key 的密钥
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
这里分享例子issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"
此外,请确保您的用户具有管理 Route53
的必要权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
我遵循了这个 DigitalOcean 指南 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes,我遇到了一些很奇怪的事情。当我在主机名中设置通配符时,letsencrypt 无法颁发新证书。而当我只设置定义的子域时,它就完美地工作了。
这是我的域及其 api 的“工作”配置(并且这个工作完美):
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- api.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
相反,这是我要颁发的通配符证书,但没有成功,留下了“Issuing”消息。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- example.com
- *.example.com
secretName: my-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
- host: api.example.com
http:
paths:
- backend:
serviceName: example-api
servicePort: 80
唯一不同的是主机的第二行。有没有我不知道的微不足道的众所周知的解决方案?我是 Kubernetes 的新手,但不是 DevOps。
使用 cert-manager (letsencrypt) 生成通配符证书需要使用 DNS-01 质询而不是 HTTP-01 used in the link from the question:
Does Let’s Encrypt issue wildcard certificates?
Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
有一份关于使用 cert-manager:
wildcard 证书的文档
从DigialOcean的角度来看,有专门针对它的指南:
This provider uses a Kubernetes
Secretresource to work. In the following example, theSecretwill have to be nameddigitalocean-dnsand have a sub-keyaccess-tokenwith the token in it. For example:apiVersion: v1 kind: Secret metadata: name: digitalocean-dns namespace: cert-manager data: # insert your DO access token here access-token: "base64 encoded access-token here"The access token must have write access.
To create a Personal Access Token, see DigitalOcean documentation.
Handy direct link: https://cloud.digitalocean.com/account/api/tokens/new
To encode your access token into base64, you can use the following
echo -n 'your-access-token' | base64 -w 0apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: example-issuer spec: acme: ... solvers: - dns01: digitalocean: tokenSecretRef: name: digitalocean-dns key: access-token-- Cert-manager.io: Docs: Configuration: ACME: DNS-01: Digitalocean
我认为这些额外的资源也可以提供帮助:
通配符证书需要 DNS-01 方法
注意:您可能需要先在您的 DNS 中添加 CAA 记录。
CAA 记录可以添加到 DNS 区域
示例 :
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
从以下位置获取详细信息:https://sslmate.com/caa/
首先,您必须使用命令
创建用于存储access key 的密钥
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
这里分享例子issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"
此外,请确保您的用户具有管理 Route53
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}