Knative:启用自动TLS证书设置-不起作用 [英] Knative: Enabling automatic TLS certificate provisioning - not working

问题描述

我正在尝试启用自动TLS证书配置"

我有一个正在工作的ClusterIssuer(状态:真")，并且能够手动创建证书(状态:真").

I have a working ClusterIssuer(status: "True") and I am able to manually create a Certificate(status: "True").

我正在尝试启用环境设置:

Knative: v0.12
Istio: v1.4 (SDS)
cert-manager: v0.13.1

kubectl version                                                               
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.9", GitCommit:"2e808b7cb054ee242b68e62455323aa783991f03", GitTreeState:"clean", BuildDate:"2020-01-18T23:33:14Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15+", GitVersion:"v1.15.9-gke.9", GitCommit:"a9973cbb2722793e2ea08d20880633ca61d3e669", GitTreeState:"clean", BuildDate:"2020-02-07T22:35:02Z", GoVersion:"go1.12.12b4", Compiler:"gc", Platform:"linux/amd64"}

我有以下网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: knative-ingress-gateway
  namespace: knative-serving
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
    tls:
      # Sends 301 redirect for all http requests.
      # Omit to allow http and https.
      httpsRedirect: false
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "mydomain.com"
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

申请时:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
  namespace: default
spec:
  template:
    spec:
      containers:
      - image: gcr.io/knative-samples/helloworld-go # The URL to the image of the app
        env:
        - name: TARGET
          value: "Go Sample v1"

我可以(注意:httpsRedirect:false):

I can(note: httpsRedirect: false):

curl http://helloworld-go.default.mydomain.com                                       
Hello Go Sample v1!

但是尝试使用https:

But when trying with https:

curl https://helloworld-go.default.mydomain.com
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to helloworld-go.default.mydomain.com:443

也:

Knative文档状态:在这种模式下，将为每个命名空间配置一个证书，并在整个Knative中重用"，但是我看不到任何命名空间中的任何证书.

The Knative documentation state: "In this mode, a single Certificate will be provisioned per namespace and is reused across the Knative", but I dont see any certificates in any namespaces.

请注意，kubectl get ksvc网址是http，而不是https:

Note that kubectl get ksvc url is http and not https:

kubectl get ksvc
NAME            URL                                      LATESTCREATED         LATESTREADY           READY   REASON
helloworld-go   http://helloworld-go.default.mydomain.com   helloworld-go-lxr2n   helloworld-go-lxr2n   True    

推荐答案

我遇到了同样的问题.但是版本为0.16.0.我通过不使用启用自动TLS证书配置"来解决此问题.使用cert-manager代替，我使用了直接从knative提供的HTTP-01.

I had the same issue. But with version 0.16.0. I fixed it by not using "Enabling automatic TLS certificate provisioning" with cert-manager instead I used the HTTP-01 directly provided from knative.

如何使用让我们加密HTTP01"挑战自动设置TLS证书:

How to automatically provisioning TLS certificates using Let’s Encrypt HTTP01 challenges:

1. 转到 https://knative.dev/docs/install/any-kubernetes-cluster/#optional-serving-extensions
2. 点击通过HTTP01进行TLS"
3. 按照说明
4. 应该工作

1. go to https://knative.dev/docs/install/any-kubernetes-cluster/#optional-serving-extensions
2. click on "TLS via HTTP01"
3. Follow the instruction
4. Should work

这篇关于Knative:启用自动TLS证书设置-不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！