我正在尝试在我们的Kubernetes集群中使用TLS。我已经按照“在Azure Kubernetes服务上创建HTTPS入口控制器”(https://docs.microsoft.com/en-us/azure/aks/ingress-tls)上的MS文档进行操作。
我已经部署了Nginx入口控制器,添加了DNS记录并安装了证书管理器。我创建了一个SelfSigned的CA ClusterIssuer,还创建了2个演示应用程序。
[当我创建入口路由时,会自动创建证书,并且在“就绪”状态下显示“真”,但该路由不起作用-我无法使用已部署的主机名(https://hello-world-ingress.<Ingress_Service_DNS_Name>
)访问演示应用程序。] >
自签名ClusterIssuer:
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: selfsigned-issuer spec: selfSigned: {}
入口路线:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-world-ingress annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /$2 cert-manager.io/cluster-issuer: selfsigned-issuer spec: tls: - hosts: - hello-world-ingress.<Ingress_Service_DNS_Name> secretName: tls-secret rules: - host: hello-world-ingress.<Ingress_Service_DNS_Name> http: paths: - backend: serviceName: aks-helloworld servicePort: 80 path: /(.*) - backend: serviceName: aks-helloworld-two servicePort: 80 path: /hello-world-two(/|$)(.*) --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-world-ingress-static annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /static/$2 cert-manager.io/cluster-issuer: selfsigned-issuer spec: tls: - hosts: - hello-world-ingress.<Ingress_Service_DNS_Name> secretName: tls-secret rules: - host: hello-world-ingress.<Ingress_Service_DNS_Name> http: paths: - backend: serviceName: aks-helloworld servicePort: 80 path: /static(/|$)(.*)
我在我们的域中的GoDaddy上为
<Ingress_Service_DNS_Name>
创建了DNS记录(但具有真实名称),该记录指向外部入口控制器服务IP地址。
其余的安装和部署与文档相同。
有人知道为什么它不起作用吗?
----------------编辑----------------------
入口控制器日志:
I0330 06:03:16.780788 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375594", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingressI0330 06:03:46.358414 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375687", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static I0330 06:03:46.386930 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375688", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress I0330 06:04:16.783483 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375802", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress I0330 06:04:16.788210 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375803", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static I0330 06:04:46.584035 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375904", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress I0330 06:04:46.587677 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37375905", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static I0330 06:05:16.938952 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress", UID:"488a4c00-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37376008", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress I0330 06:05:16.938975 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37376007", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static I0330 06:05:46.337384 7 event.go:281] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress-basic", Name:"hello-world-ingress-static", UID:"48b91e0e-7072-11ea-a46c-1a8c7fb34cf9", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"37376095", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress ingress-basic/hello-world-ingress-static
证书管理员日志:
I0330 06:16:19.953430 1 reflector.go:432] external/io_k8s_client_go/tools/cache/reflector.go:108: Watch close - *v1alpha2.Order total 0 items received I0330 06:16:19.989382 1 reflector.go:278] external/io_k8s_client_go/tools/cache/reflector.go:108: forcing resync I0330 06:16:39.861201 1 metrics.go:304] cert-manager/metrics "msg"="attempting to clean up metrics for recently deleted certificates" I0330 06:16:39.861233 1 metrics.go:307] cert-manager/metrics "msg"="active certificates is still uninitialized" I0330 06:16:46.353253 1 controller.go:129] cert-manager/controller/ingress-shim "msg"="syncing item" "key"="ingress-basic/hello-world-ingress" I0330 06:16:46.354661 1 metrics.go:385] cert-manager/metrics "msg"="incrementing controller sync call count" "controllerName"="ingress-shim" I0330 06:16:46.355124 1 sync.go:163] cert-manager/controller/ingress-shim "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress" "resource_namespace"="ingress-basic" I0330 06:16:46.356804 1 sync.go:176] cert-manager/controller/ingress-shim "msg"="certificate resource is already up to date for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress" "resource_namespace"="ingress-basic" I0330 06:16:46.357190 1 controller.go:135] cert-manager/controller/ingress-shim "msg"="finished processing work item" "key"="ingress-basic/hello-world-ingress" I0330 06:16:46.358636 1 controller.go:129] cert-manager/controller/ingress-shim "msg"="syncing item" "key"="ingress-basic/hello-world-ingress-static" I0330 06:16:46.361782 1 metrics.go:385] cert-manager/metrics "msg"="incrementing controller sync call count" "controllerName"="ingress-shim" I0330 06:16:46.367596 1 sync.go:163] cert-manager/controller/ingress-shim "msg"="certificate already exists for ingress resource, ensuring it is up to date" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress-static" "resource_namespace"="ingress-basic" I0330 06:16:46.368271 1 sync.go:171] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this ingress. refusing to update non-owned certificate resource for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress-static" "resource_namespace"="ingress-basic" I0330 06:16:46.368424 1 controller.go:135] cert-manager/controller/ingress-shim "msg"="finished processing work item" "key"="ingress-basic/hello-world-ingress-static" I0330 06:16:47.581355 1 reflector.go:278] external/io_k8s_client_go/tools/cache/reflector.go:108: forcing resync I0330 06:16:49.383317 1 reflector.go:278] external/io_k8s_client_go/tools/cache/reflector.go:108: forcing resync
唯一看起来可能是问题的是在证书管理器日志中:
"certificate resource is not owned by this ingress. refusing to update non-owned certificate resource for ingress" "related_resource_kind"="Certificate" "related_resource_name"="tls-secret-selfsigned" "related_resource_namespace"="ingress-basic" "resource_kind"="Ingress" "resource_name"="hello-world-ingress-static" "resource_namespace"="ingress-basic" "
谢谢,
Afik
我正在尝试在我们的Kubernetes集群中使用TLS。我已遵循“在Azure Kubernetes服务上创建HTTPS入口控制器”(https://docs.microsoft.com/zh-cn/azure/aks / ...