如何向 Kubernetes nginx (GKE) 提供 letsencrypt 证书?
How do I present letsencrypt certificates to Kubernetes nginx (GKE)?
我正在学习 Google 云平台,试图实现我的第一个项目,但在教程中迷路了。我一直在尝试实施 nginx 入口。我的入口卡在 CrashLoopBackoff 中,日志显示以下错误。
我知道如何使用 DockerCompose 完成此任务,但这里不知道。
我从哪里开始?
1#1: cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
我还不确定这是否有用,但我已经设置了证书颁发机构服务 (https://cloud.google.com/certificate-authority-service/docs/best-practices)。
与其使用它并遵循 GCP CA 设置,我建议使用 cert-manager 和入口。
Cert-manager 将从 let's-encrypt CA , cert-manager 获得 TLS 证书将在 k8s 中创建秘密并将已验证的证书存储到秘密中。
您可以根据主机在入口处附加秘密并使用它。
YAML 示例:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
您可以阅读此博客作为参考:https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d
我正在学习 Google 云平台,试图实现我的第一个项目,但在教程中迷路了。我一直在尝试实施 nginx 入口。我的入口卡在 CrashLoopBackoff 中,日志显示以下错误。
我知道如何使用 DockerCompose 完成此任务,但这里不知道。
我从哪里开始?
1#1: cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/blah.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/blah.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
我还不确定这是否有用,但我已经设置了证书颁发机构服务 (https://cloud.google.com/certificate-authority-service/docs/best-practices)。
与其使用它并遵循 GCP CA 设置,我建议使用 cert-manager 和入口。
Cert-manager 将从 let's-encrypt CA , cert-manager 获得 TLS 证书将在 k8s 中创建秘密并将已验证的证书存储到秘密中。
您可以根据主机在入口处附加秘密并使用它。
YAML 示例:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
您可以阅读此博客作为参考:https://medium.com/@harsh.manvar111/kubernetes-nginx-ingress-and-cert-manager-ssl-setup-c82313703d0d