无法自签名证书 nginx ingress k3s
Unable to self sign certificate nginx ingress k3s
我是 K3s 的新手,这几天一直在纠结这一步。
环境: Ubuntu 20.04 |没有Traefik的K3s安装。
K3s安装脚本:
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -
Nginx 入口安装脚本
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress
证书管理器安装脚本
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.3.1 \
--set installCRDs=true
验证
创建一个测试命名空间以使用 kubectl create ns practice-cls
测试服务部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuard
namespace: practice-cls
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kuard
namespace: practice-cls
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app: kuard
发行人
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
namespace: cert-manager
spec:
selfSigned: {}
服务入口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: practice-cls
annotations:
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80
ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls
Name: kuard
Labels: <none>
Namespace: practice-cls
Address: 10.227.224.141
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
quickstart-example-tls terminates example.example.com
Rules:
Host Path Backends
---- ---- --------
example.example.com
/ kuard:80 (10.42.0.76:8080)
Annotations: cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning AddedOrUpdatedWithWarning 6m9s nginx-ingress-controller Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type
我不知道这是否有问题,kuard 图片只是来自 cert-manager 的教程服务。我从上面的清单中得到 ERR_SSL_UNRECOGNIZED_NAME_ALERT。
如果有更多信息可以解决此问题,请告诉我。
谢谢大家
经过一段时间的搜索和实验,我设法通过以下方式处理了这个问题:
自己使用K8s nginx ingress instead of the official one provide by nginx
通过编辑 nginx 控制器的部署或在安装时启用该权限来启用 SSL 直通
nginx 入口控制器(由 Nginx 公司生产)具有不支持默认 Opaque 秘密类型的挑剔代码对于 TLS 秘密。检查您的“quickstart-example-tls”Secret 是否已将其 type 设置为:kubernetes.io/tls 或受支持的类型之一输入 their list.
// IsSupportedSecretType checks if the secret type is supported.
func IsSupportedSecretType(secretType api_v1.SecretType) bool {
return secretType == api_v1.SecretTypeTLS ||
secretType == SecretTypeCA ||
secretType == SecretTypeJWK ||
secretType == SecretTypeOIDC
}
社区支持的Kubernetes Nginx Ingress Controller没有这个限制,支持Opaquesecret类型就好了。
我是 K3s 的新手,这几天一直在纠结这一步。
环境: Ubuntu 20.04 |没有Traefik的K3s安装。
K3s安装脚本:
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -
Nginx 入口安装脚本
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress
证书管理器安装脚本
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.3.1 \
--set installCRDs=true
创建一个测试命名空间以使用 kubectl create ns practice-cls
测试服务部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuard
namespace: practice-cls
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kuard
namespace: practice-cls
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app: kuard
发行人
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
namespace: cert-manager
spec:
selfSigned: {}
服务入口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: practice-cls
annotations:
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80
ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls
Name: kuard
Labels: <none>
Namespace: practice-cls
Address: 10.227.224.141
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
quickstart-example-tls terminates example.example.com
Rules:
Host Path Backends
---- ---- --------
example.example.com
/ kuard:80 (10.42.0.76:8080)
Annotations: cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning AddedOrUpdatedWithWarning 6m9s nginx-ingress-controller Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type
我不知道这是否有问题,kuard 图片只是来自 cert-manager 的教程服务。我从上面的清单中得到 ERR_SSL_UNRECOGNIZED_NAME_ALERT。
如果有更多信息可以解决此问题,请告诉我。
谢谢大家
经过一段时间的搜索和实验,我设法通过以下方式处理了这个问题:
自己使用K8s nginx ingress instead of the official one provide by nginx
通过编辑 nginx 控制器的部署或在安装时启用该权限来启用 SSL 直通
nginx 入口控制器(由 Nginx 公司生产)具有不支持默认 Opaque 秘密类型的挑剔代码对于 TLS 秘密。检查您的“quickstart-example-tls”Secret 是否已将其 type 设置为:kubernetes.io/tls 或受支持的类型之一输入 their list.
// IsSupportedSecretType checks if the secret type is supported.
func IsSupportedSecretType(secretType api_v1.SecretType) bool {
return secretType == api_v1.SecretTypeTLS ||
secretType == SecretTypeCA ||
secretType == SecretTypeJWK ||
secretType == SecretTypeOIDC
}
社区支持的Kubernetes Nginx Ingress Controller没有这个限制,支持Opaquesecret类型就好了。