当我尝试启用 TLS 时,在通过入口暴露 ArgoCD 时遇到问题。使用我当前的配置,可以使用有效证书很好地生成秘密
argocd-server-tls
。但我在尝试解决入口问题时收到错误 500,Internal Server Error
。所有 ArgoCD 日志都正常,我可以看到我的 TLS 配置已从 argocd-server-tls
秘密 "msg="Loading TLS configuration from secret argocd/argocd-server-tls"
(来自 argocd-server
的日志)正确加载。
我可以在trafik日志上找到错误日志:
msg="'500 Internal Server Error' caused by: tls: failed to verify certificate: x509: cannot validate certificate for <ARGOCD_SERVER_POD_IP> because it doesn't contain any IP SANs"
有人遇到同样的问题吗?
我正在使用证书管理器
clusterIssuer
来获取证书。它与同一集群上的其他服务运行良好。
这是我的 ArgoCD Helm 值文件:
values.yaml
server:
ingress:
enabled: true
annotations:
ingress.kubernetes.io/ssl-redirect: true
ingress.kubernetes.io/proxy-body-size: 0
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: My-cluster-issuer
ingressClassName: traefik
hosts:
- myargocddomain.com
tls:
- hosts:
- myargocddomain.com
secretName: argocd-server-tls
# -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
https: true
我在ArgoCD Helm Chart上看到可以设置证书部分:
values.yaml
## Server
#
server:
certificate:
# -- Deploy a Certificate resource (requires cert-manager)
enabled: true
# -- The name of the Secret that will be automatically created and managed by this Certificate resource
secretName: argocd-server-tls
# -- Certificate primary domain (commonName)
domain: myargocddomain.com
# -- Certificate Subject Alternate Names (SANs)
additionalHosts: []
# Certificate issuer
## Ref: https://cert-manager.io/docs/concepts/issuer
issuer:
# -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io`
group: "cert-manager.io"
# -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
kind: "ClusterIssuer"
# -- Certificate issuer name. Eg. `letsencrypt`
name: "My-cluster-issuer"
ingress:
enabled: true
annotations:
ingress.kubernetes.io/ssl-redirect: true
ingress.kubernetes.io/proxy-body-size: 0
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: My-cluster-issuer
ingressClassName: traefik
hosts:
- myargocddomain.com
tls:
- hosts:
- myargocddomain.com
secretName: argocd-server-tls
# -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
https: true
此配置的问题是创建了两个证书,针对相同的秘密“argocd-server-tls”,因此其中一个证书具有
Ready: False
和此消息 Secret was issued for "argocd-server-tls". If this message is not transient, you might have two conflicting Certificates pointing to the same secret.
然后我尝试设置
server.certificate.secretName=toto
进行测试,这是另一个问题。仍然创建了两个证书,一个是 Ingress 附带的,另一个是证书配置中的。来自入口的一个仍然正确创建,但无法工作(内部服务器错误...),而另一个尚未准备好,并显示消息 Issuing certificate as Secret does not exist
。
我终于明白了!这是 TLS 终止的问题。在下面的当前配置中,我尝试在 ArgoCD 级别终止 TLS。但我想做的是保护集群外部的流量(我还没有实现任何加密内部流量的解决方案)。
所以我需要做的是加密从外部(客户端)到我的负载均衡器的流量,然后启用从负载均衡器到 ArgoCD 服务器的不安全流量。
|
WWW | Internal
________ ______|_______ ________
| | | | | |
| Client |======(TLS)=====>| LoadBalancer |======(clear)=====>| ArgoCD |
|________| |______________| |________|
这是最终配置:
values.yaml
configs:
cm:
url: "https://<MY_DOMAIN>"
params:
server.insecure: "true"
server:
certificate:
# -- Deploy a Certificate resource (requires cert-manager)
enabled: true
# -- The name of the Secret that will be automatically created and managed by this Certificate resource
secretName: argocd-server-tls
# -- Certificate primary domain (commonName)
domain: <MY_DOMAIN>
# Certificate issuer
## Ref: https://cert-manager.io/docs/concepts/issuer
issuer:
# -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io`
group: "cert-manager.io"
# -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
kind: "ClusterIssuer"
# -- Certificate issuer name. Eg. `letsencrypt`
name: "<ISSUER_NAME>"
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
ingressClassName: traefik
hosts:
- <MY_DOMAIN>
tls:
- hosts:
- <MY_DOMAIN>
secretName: argocd-server-tls
# -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
https: false
这里 ArgoCD 以不安全模式运行,但使用 SSL 证书进行外部流量!
关于我试图生成两个秘密的问题,那是因为我两次引用了 CertManager 颁发者:一次在
server.certificate
集团上,一次在 server.ingress
上。两个证书请求的结果,我刚刚从 server.ingress
中删除了一个。