两个 Nginx Ingress 控制器 Azure K8s 集群的两个 TLS 证书
Two TLS certificate for two Nginx Ingress controller Azure K8s cluster
我有两个入口控制器,一个在 default 命名空间中默认为 class nginx,而第二个入口控制器有一个 nginx class: nginx-devices.
已经使用 Helm 安装了证书管理器。
我设法从 Lets Encrypt 为第一个控制器获得了 TLS 证书,使用 ClusterIssuer 和路由入口资源规则 Ingress。
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod
spec:
acme:
email: xx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
入口路由:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: serviceA-ingress-rules
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- FirstService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: FirstService.cloudapp.azure.com
http:
paths:
- path: /serviceA
backend:
serviceName: serviceA
servicePort: 80
但是,为第二个入口控制器创建第二个 TLS 证书时,不会创建 TLS 机密
集群发行者
# k8s/cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
namespace: ingress-nginx-devices # namespace where the second ingress controller is installed
spec:
acme:
email: xxx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
solvers:
- http01:
ingress:
class: nginx-devices # ingress class of the second ingress controller
入口路由
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: devices-ingress-rules
namespace: default # since all the services are in default namespace
annotations:
kubernetes.io/ingress.class: nginx-devices # ingress class of the second ingress controller
cert-manager.io/cluster-issuer: "letsencrypt-prod-devices"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- secondService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: secondService.cloudapp.azure.com
http:
paths:
- path: /serviceB
backend:
serviceName: serviceB
servicePort: 80
通过查看秘密我只能看到:kubectl get secrets -n ingress-nginx-devices
NAME TYPE DATA AGE
default-token-xzp95 kubernetes.io/service-account-token 3 92m
nginx-ingress-devices-backend-token-pd4vf kubernetes.io/service-account-token 3 64m
nginx-ingress-devices-token-qvvps kubernetes.io/service-account-token 3 64m
sh.helm.release.v1.nginx-ingress-devices.v1 helm.sh/release.v1 1 64m
在默认命名空间中:
tls-secret kubernetes.io/tls 2 134m
为什么没有生成第二个 tls-secret?这里会出什么问题?
感谢任何帮助:)
你的第二个集群发行者命名空间是:ingress-nginx-devices 理想情况下它应该在 default 命名空间中,因为你的入口在默认命名空间。
将这三个保留在同一个命名空间中:
- 入口
- 集群发行者
- 服务
如果一切顺利,您将在 默认 命名空间
中看到秘密
也在你的 clusterissuer 的 YAML 中
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
你的密钥名称是:letsencrypt-prod-devices
但在入口中是:tls-secret
保持不变,否则无法正常工作
此处分享 clusterissuer 和 ingress 保持在同一个命名空间中的完整示例。您可以根据需要更改秘密名称、集群发行者名称。 Clusterissuer 将自动创建秘密,只需在入口(匹配)中提供秘密和 clusterissuer 的证明者名称。
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
我有两个入口控制器,一个在 default 命名空间中默认为 class nginx,而第二个入口控制器有一个 nginx class: nginx-devices.
已经使用 Helm 安装了证书管理器。
我设法从 Lets Encrypt 为第一个控制器获得了 TLS 证书,使用 ClusterIssuer 和路由入口资源规则 Ingress。
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod
spec:
acme:
email: xx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
入口路由:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: serviceA-ingress-rules
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- FirstService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: FirstService.cloudapp.azure.com
http:
paths:
- path: /serviceA
backend:
serviceName: serviceA
servicePort: 80
但是,为第二个入口控制器创建第二个 TLS 证书时,不会创建 TLS 机密
集群发行者
# k8s/cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
namespace: ingress-nginx-devices # namespace where the second ingress controller is installed
spec:
acme:
email: xxx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
solvers:
- http01:
ingress:
class: nginx-devices # ingress class of the second ingress controller
入口路由
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: devices-ingress-rules
namespace: default # since all the services are in default namespace
annotations:
kubernetes.io/ingress.class: nginx-devices # ingress class of the second ingress controller
cert-manager.io/cluster-issuer: "letsencrypt-prod-devices"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- secondService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: secondService.cloudapp.azure.com
http:
paths:
- path: /serviceB
backend:
serviceName: serviceB
servicePort: 80
通过查看秘密我只能看到:kubectl get secrets -n ingress-nginx-devices
NAME TYPE DATA AGE
default-token-xzp95 kubernetes.io/service-account-token 3 92m
nginx-ingress-devices-backend-token-pd4vf kubernetes.io/service-account-token 3 64m
nginx-ingress-devices-token-qvvps kubernetes.io/service-account-token 3 64m
sh.helm.release.v1.nginx-ingress-devices.v1 helm.sh/release.v1 1 64m
在默认命名空间中:
tls-secret kubernetes.io/tls 2 134m
为什么没有生成第二个 tls-secret?这里会出什么问题?
感谢任何帮助:)
你的第二个集群发行者命名空间是:ingress-nginx-devices 理想情况下它应该在 default 命名空间中,因为你的入口在默认命名空间。
将这三个保留在同一个命名空间中:
- 入口
- 集群发行者
- 服务
如果一切顺利,您将在 默认 命名空间
中看到秘密也在你的 clusterissuer 的 YAML 中
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
你的密钥名称是:letsencrypt-prod-devices
但在入口中是:tls-secret
保持不变,否则无法正常工作
此处分享 clusterissuer 和 ingress 保持在同一个命名空间中的完整示例。您可以根据需要更改秘密名称、集群发行者名称。 Clusterissuer 将自动创建秘密,只需在入口(匹配)中提供秘密和 clusterissuer 的证明者名称。
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name