为什么 GCP LoadBalancer 不支持 ECDSA 证书?
Why GCP LoadBalancer doesn't support the ECDSA certificate?
我已经在 Google Cloud Platform 上使用前端配置和 ECDSA P-384 TLS 证书创建了 kubernetes ingress,创建过程几秒钟后我收到以下错误:
Error syncing to GCP: error running load balancer syncing routine:
loadbalancer -default--ingress-****** does not exist:
Cert creation failures -
k8s2-cr---***** Error:googleapi:
Error 400: The ECDSA curve is not supported.,
sslCertificateUnsupportedCurve
为什么不支持ECDSA曲线?有什么方法可以启用此支持吗?
创建 tls-secret 命令:
kubectl create secret tls tls --key [key-path] --cert [cert-path]
前端配置:
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: frontend-config
spec:
redirectToHttps:
enabled: true
responseCodeName: MOVED_PERMANENTLY_DEFAULT
入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: default
labels:
kind: ingress
annotations:
networking.gke.io/v1beta1.FrontendConfig: frontend-config
spec:
tls:
- hosts:
- '*.mydomain.com'
secretName: tls
rules:
- host: mydomain.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: spa-ingress-service
port:
number: 80
- host: api.mydomain.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: api-ingress-service
port:
number: 80
水疗服务:
# SERVICE LOAD BALANCER
apiVersion: v1
kind: Service
metadata:
name: spa-service
labels:
app/name: spa
spec:
type: LoadBalancer
selector:
app/template: spa
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
---
# SERVICE NODE PORT - FOR INGRESS
apiVersion: v1
kind: Service
metadata:
name: spa-ingress-service
labels:
app/name: ingress.spa
spec:
type: NodePort
selector:
app/template: spa
ports:
- name: https
protocol: TCP
port: 80
targetPort: http
api 服务:
# SERVICE LOAD BALANCER
apiVersion: v1
kind: Service
metadata:
name: api-service
labels:
app/name: api
spec:
type: LoadBalancer
selector:
app/template: api
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
---
# SERVICE NODE PORT - FOR INGRESS
apiVersion: v1
kind: Service
metadata:
name: api-ingress-service
labels:
app/name: ingress.api
spec:
type: NodePort
selector:
app/template: api
ports:
- name: https
protocol: TCP
port: 80
targetPort: http
kubectl 描述入口响应:
gcp load balancer supports RSA-2048 or ECDSA P-256 certificates. Also DownstreamTlsContexts support multiple TLS certificates. These may be a mix of RSA and P-256 ECDSA 证书。
以下错误是由于与当前使用的 P-384 证书而不是 P-256 证书不兼容造成的。
有关其他信息,请参阅 Load Balancing Overview。
我已经在 Google Cloud Platform 上使用前端配置和 ECDSA P-384 TLS 证书创建了 kubernetes ingress,创建过程几秒钟后我收到以下错误:
Error syncing to GCP: error running load balancer syncing routine: loadbalancer -default--ingress-****** does not exist: Cert creation failures - k8s2-cr---***** Error:googleapi: Error 400: The ECDSA curve is not supported., sslCertificateUnsupportedCurve
为什么不支持ECDSA曲线?有什么方法可以启用此支持吗?
创建 tls-secret 命令:
kubectl create secret tls tls --key [key-path] --cert [cert-path]
前端配置:
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: frontend-config
spec:
redirectToHttps:
enabled: true
responseCodeName: MOVED_PERMANENTLY_DEFAULT
入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: default
labels:
kind: ingress
annotations:
networking.gke.io/v1beta1.FrontendConfig: frontend-config
spec:
tls:
- hosts:
- '*.mydomain.com'
secretName: tls
rules:
- host: mydomain.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: spa-ingress-service
port:
number: 80
- host: api.mydomain.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: api-ingress-service
port:
number: 80
水疗服务:
# SERVICE LOAD BALANCER
apiVersion: v1
kind: Service
metadata:
name: spa-service
labels:
app/name: spa
spec:
type: LoadBalancer
selector:
app/template: spa
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
---
# SERVICE NODE PORT - FOR INGRESS
apiVersion: v1
kind: Service
metadata:
name: spa-ingress-service
labels:
app/name: ingress.spa
spec:
type: NodePort
selector:
app/template: spa
ports:
- name: https
protocol: TCP
port: 80
targetPort: http
api 服务:
# SERVICE LOAD BALANCER
apiVersion: v1
kind: Service
metadata:
name: api-service
labels:
app/name: api
spec:
type: LoadBalancer
selector:
app/template: api
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
---
# SERVICE NODE PORT - FOR INGRESS
apiVersion: v1
kind: Service
metadata:
name: api-ingress-service
labels:
app/name: ingress.api
spec:
type: NodePort
selector:
app/template: api
ports:
- name: https
protocol: TCP
port: 80
targetPort: http
kubectl 描述入口响应:
gcp load balancer supports RSA-2048 or ECDSA P-256 certificates. Also DownstreamTlsContexts support multiple TLS certificates. These may be a mix of RSA and P-256 ECDSA 证书。
以下错误是由于与当前使用的 P-384 证书而不是 P-256 证书不兼容造成的。
有关其他信息,请参阅 Load Balancing Overview。