无法自签名证书 nginx ingress k3s

Unable to self sign certificate nginx ingress k3s

我是 K3s 的新手,这几天一直在纠结这一步。

环境: Ubuntu 20.04 |没有Traefik的K3s安装。

K3s安装脚本:

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -

Nginx 入口安装脚本

helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress

证书管理器安装脚本

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.3.1 \
  --set installCRDs=true

已通过 Cert-manager verifier

验证

创建一个测试命名空间以使用 kubectl create ns practice-cls

测试服务部署

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kuard
  namespace: practice-cls
spec:
  selector:
    matchLabels:
      app: kuard
  replicas: 1
  template:
    metadata:
      labels:
        app: kuard
    spec:
      containers:
        - image: gcr.io/kuar-demo/kuard-amd64:1
          imagePullPolicy: Always
          name: kuard
          ports:
            - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: kuard
  namespace: practice-cls
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: kuard

发行人

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

服务入口

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  namespace: practice-cls
  annotations:
    cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
  tls:
  - hosts:
    - example.example.com
    secretName: quickstart-example-tls
  rules:
  - host: example.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kuard
            port:
              number: 80
  ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls

Name:             kuard
Labels:           <none>
Namespace:        practice-cls
Address:          10.227.224.141
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  quickstart-example-tls terminates example.example.com
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  example.example.com  
                       /   kuard:80 (10.42.0.76:8080)
Annotations:           cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
  Type     Reason                     Age   From                      Message
  ----     ------                     ----  ----                      -------
  Warning  AddedOrUpdatedWithWarning  6m9s  nginx-ingress-controller  Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type

我不知道这是否有问题,kuard 图片只是来自 cert-manager 的教程服务。我从上面的清单中得到 ERR_SSL_UNRECOGNIZED_NAME_ALERT

如果有更多信息可以解决此问题,请告诉我。

谢谢大家

经过一段时间的搜索和实验,我设法通过以下方式处理了这个问题:

自己使用K8s nginx ingress instead of the official one provide by nginx

通过编辑 nginx 控制器的部署或在安装时启用该权限来启用 SSL 直通

nginx 入口控制器(由 Nginx 公司生产)具有不支持默认 Opaque 秘密类型的挑剔代码对于 TLS 秘密。检查您的“quickstart-example-tls”Secret 是否已将其 type 设置为:kubernetes.io/tls 或受支持的类型之一输入 their list.

// IsSupportedSecretType checks if the secret type is supported.
func IsSupportedSecretType(secretType api_v1.SecretType) bool {
    return secretType == api_v1.SecretTypeTLS ||
        secretType == SecretTypeCA ||
        secretType == SecretTypeJWK ||
        secretType == SecretTypeOIDC
}

社区支持的Kubernetes Nginx Ingress Controller没有这个限制,支持Opaquesecret类型就好了。