当我尝试启用 TLS 时,在通过入口暴露 ArgoCD 时遇到问题。使用我当前的配置,可以使用有效证书很好地生成秘密
argocd-server-tlsInternal Server Errorargocd-server-tls"msg="Loading TLS configuration from secret argocd/argocd-server-tls"argocd-server我可以在trafik日志上找到错误日志:
msg="'500 Internal Server Error' caused by: tls: failed to verify certificate: x509: cannot validate certificate for <ARGOCD_SERVER_POD_IP> because it doesn't contain any IP SANs"
有人遇到同样的问题吗?
我正在使用证书管理器
clusterIssuer这是我的 ArgoCD Helm 值文件:
values.yamlserver:
ingress:
enabled: true
annotations:
ingress.kubernetes.io/ssl-redirect: true
ingress.kubernetes.io/proxy-body-size: 0
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: My-cluster-issuer
ingressClassName: traefik
hosts:
- myargocddomain.com
tls:
- hosts:
- myargocddomain.com
secretName: argocd-server-tls
# -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
https: true
我在ArgoCD Helm Chart上看到可以设置证书部分:
values.yaml## Server
#
server:
certificate:
# -- Deploy a Certificate resource (requires cert-manager)
enabled: true
# -- The name of the Secret that will be automatically created and managed by this Certificate resource
secretName: argocd-server-tls
# -- Certificate primary domain (commonName)
domain: myargocddomain.com
# -- Certificate Subject Alternate Names (SANs)
additionalHosts: []
# Certificate issuer
## Ref: https://cert-manager.io/docs/concepts/issuer
issuer:
# -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io`
group: "cert-manager.io"
# -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
kind: "ClusterIssuer"
# -- Certificate issuer name. Eg. `letsencrypt`
name: "My-cluster-issuer"
ingress:
enabled: true
annotations:
ingress.kubernetes.io/ssl-redirect: true
ingress.kubernetes.io/proxy-body-size: 0
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: My-cluster-issuer
ingressClassName: traefik
hosts:
- myargocddomain.com
tls:
- hosts:
- myargocddomain.com
secretName: argocd-server-tls
# -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
https: true
此配置的问题是创建了两个证书,针对相同的秘密“argocd-server-tls”,因此其中一个证书具有
Ready: FalseSecret was issued for "argocd-server-tls". If this message is not transient, you might have two conflicting Certificates pointing to the same secret.然后我尝试设置
server.certificate.secretName=totoIssuing certificate as Secret does not exist我终于明白了!这是 TLS 终止的问题。在下面的当前配置中,我尝试在 ArgoCD 级别终止 TLS。但我想做的是保护集群外部的流量(我还没有实现任何加密内部流量的解决方案)。
所以我需要做的是加密从外部(客户端)到我的负载均衡器的流量,然后启用从负载均衡器到 ArgoCD 服务器的不安全流量。
|
WWW | Internal
________ ______|_______ ________
| | | | | |
| Client |======(TLS)=====>| LoadBalancer |======(clear)=====>| ArgoCD |
|________| |______________| |________|
这是最终配置:
values.yamlconfigs:
cm:
url: "https://<MY_DOMAIN>"
params:
server.insecure: "true"
server:
certificate:
# -- Deploy a Certificate resource (requires cert-manager)
enabled: true
# -- The name of the Secret that will be automatically created and managed by this Certificate resource
secretName: argocd-server-tls
# -- Certificate primary domain (commonName)
domain: <MY_DOMAIN>
# Certificate issuer
## Ref: https://cert-manager.io/docs/concepts/issuer
issuer:
# -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io`
group: "cert-manager.io"
# -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
kind: "ClusterIssuer"
# -- Certificate issuer name. Eg. `letsencrypt`
name: "<ISSUER_NAME>"
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
ingressClassName: traefik
hosts:
- <MY_DOMAIN>
tls:
- hosts:
- <MY_DOMAIN>
secretName: argocd-server-tls
# -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
https: false
这里 ArgoCD 以不安全模式运行,但使用 SSL 证书进行外部流量!
关于我试图生成两个秘密的问题,那是因为我两次引用了 CertManager 颁发者:一次在
server.certificateserver.ingressserver.ingress