我遇到一个问题,在一个命名空间中运行的入口控制器无法读取为入口(在另一个命名空间中)定义的证书,并且正在使用默认证书。
Error getting SSL certificate "connectivity-proxy/cdf-conn-proxy-ingress-secret": local SSL certificate connectivity-proxy/cdf-conn-proxy-ingress-secret was not found. Using default certificate
是否需要为此启用任何其他访问权限?秘密说明如下
kubectl get secret/cdf-conn-proxy-ingress-secret -n=connectivity-proxy -o yaml
apiVersion: v1
data:
ca.crt: <Base 64 encoded data>
tls.crt: <Base 64 encoded data>
tls.key: <Base 64 encoded data>
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1",
"data":{"ca.crt":<Base 64 encoded data>,
"tls.crt":<Base 64 encoded data>,
"tls.key":<Base 64 encoded data>,
"kind":"Secret","metadata":{"annotations":{},"name":"cdf-conn-proxy-ingress-secret","namespace":"connectivity-proxy"},"type":"kubernetes.io/tls"}
creationTimestamp: "2024-03-03T02:05:53Z"
name: cdf-conn-proxy-ingress-secret
namespace: connectivity-proxy
resourceVersion: "3679739774"
uid: 2016a8dc-e9c7-40a4-a3f8-131526fa591b
type: kubernetes.io/tls
入口描述如下:
kubectl get ingress/connectivity-proxy-tunnel -o yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/proxy-connect-timeout: "10"
ingress.kubernetes.io/proxy-read-timeout: "120"
ingress.kubernetes.io/proxy-send-timeout: "120"
meta.helm.sh/release-name: connectivity-proxy
meta.helm.sh/release-namespace: connectivity-proxy
nginx.ingress.kubernetes.io/auth-tls-secret: connectivity-proxy/connectivity-ca-connectivity-proxy
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "10"
nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header X-Forwarded-Client-Cert
$ssl_client_escaped_cert; \n"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
nginx.org/websocket-services: connectivity-proxy
creationTimestamp: "2024-03-06T17:45:36Z"
generation: 1
labels:
app: connectivity-proxy
app.kubernetes.io/managed-by: Helm
chart: connectivity-proxy-2.11.0
heritage: Helm
release: connectivity-proxy
name: connectivity-proxy-tunnel
namespace: connectivity-proxy
resourceVersion: "3706227012"
uid: 6dcfe450-91da-4d80-8821-85c9513b77b9
spec:
ingressClassName: nginx
rules:
- host: connectivity-proxy.cs-dev.transparent-proxy.eurekacloud.io
http:
paths:
- backend:
service:
name: connectivity-proxy-tunnel-0
port:
number: 8042
path: /
pathType: Prefix
- backend:
service:
name: connectivity-proxy-tunnel
port:
number: 8042
path: /connectivity
pathType: Prefix
tls:
- hosts:
- connectivity-proxy.cs-dev.transparent-proxy.eurekacloud.io
secretName: cdf-conn-proxy-ingress-secret
status:
loadBalancer:
ingress:
- ip: 20.62.220.254
很抱歉延迟恢复。根本原因是使用的 RSA 证书属于以下类型
-----开始加密的私钥----- -----结束加密的私钥-----而不是
-----开始 RSA 私钥----- -----结束 RSA 私钥-----
因此,Ingress 控制器无法读取它,并抛出异常。花了一些时间才弄清楚这一点,因为我无法访问入口控制器。顺便说一句,非常感谢您的回答