Kubernetes中具有子域重定向的通配符SSL证书 [英] Wildcard SSL certificate with subdomain redirect in Kubernetes
问题描述
我已经将我的Kubernetes配置为使用cert-manager和letencrypt对我的所有应用程序使用一个通配SSL证书,现在的问题是我无法配置子域重定向,原因是Ingress有点僵硬".这是我要达到的目的:
I've configured my Kubernetes to use one wildcard SSL certificate to all my apps using cert-manager and letsencrypt, now the problem is that I can't configure subdomain redirects cause Ingress is kinda "stiff". Here's how I'm trying to achieve this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-wildcard-ingress
namespace: mynamespace
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
certmanager.k8s.io/acme-challenge-type: dns01
certmanager.k8s.io/acme-dns01-provider: azuredns
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: "domain.com"
http:
paths:
- path: /
backend:
serviceName: some-service
servicePort: 3000
- host: somesub.domain.com
http:
paths:
- path: /
backend:
serviceName: some-other-service
servicePort: 80
- host: othersub.domain.com
http:
paths:
- path: /
backend:
serviceName: one-more-service
servicePort: 8080
- host: "*.domain.com"
http:
paths:
- path: /
backend:
serviceName: default-service-to-all-other-non-mapped-subdomains
servicePort: 8000
tls:
- secretName: domain-com-tls
hosts:
- "*.domain.com.br"
问题在于Ingress忽略声明的子域重定向,只是因为它们未在"tls:hosts"部分中列出.如果我确实将它们放在此处,它会尝试在同一证书中使用通配符和其他子域来发行SSL证书,这将导致发行者拒绝该命令,并说:"subdomain.domain.com和* .domain.com是多余的"
The problem is that Ingress ignores the declared subdomain redirects just because they're not listed in the "tls:hosts" section. And if I do put them there, it tries to issue the SSL certificate using the wildcard and the other subdomains as well in the same cert, which causes the issuer to refuse the order, saying the obvious: "subdomain.domain.com and *.domain.com are redundant"
还有其他方法可以声明这些重定向并强制它们使用我的SSL通配符证书吗?
Is there any other way that I can declare those redirects and force them to use my SSL wildcard certificate?
推荐答案
对于任何遇到这种麻烦的人,我都设法解决了它(不是最好的解决方案,但这只是一个开始).为此,我将使用cert-manager和letencrypt.
Well, for anyone who's having this kind of trouble, I've managed to solve it (not the best solution, but it's a start). For this, I'll be using cert-manager and letsencrypt.
首先,我创建了一个ClusterIssuer来使用letencrypt为我的证书颁发证书:
First, I've created a ClusterIssuer to issue for my certs with letsencrypt:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod-dns
spec:
acme:
dns01:
providers:
- azuredns:
clientID: MY_AZURE_CLIENT_ID
clientSecretSecretRef:
key: client-secret
name: azure-secret
hostedZoneName: mydomain.com
resourceGroupName: MY_AZURE_RESOURCE_GROUP_NAME
subscriptionID: MY_AZURE_SUBSCRIPTION_ID
tenantID: MY_AZURE_TENANT_ID
name: azuredns
email: somemail@mydomain.com
privateKeySecretRef:
key: ""
name: letsencrypt-prod-dns
server: https://acme-v02.api.letsencrypt.org/directory
然后,我为所有子域创建了一个备用入口(该域将是证书生成器):
Then I've created a fallback ingress to all my subdomains (this one will be the cert generator):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-challenge-type: dns01
certmanager.k8s.io/acme-dns01-provider: azuredns
certmanager.k8s.io/cluster-issuer: letsencrypt-prod-dns
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: nginx
name: wildcard-ingress
namespace: some-namespace
spec:
rules:
- host: '*.mydomain.com'
http:
paths:
- backend:
serviceName: some-default-service
servicePort: 80
path: /
tls:
- hosts:
- '*.mydomain.com'
- mydomain.com
secretName: wildcard-mydomain-com-tls
请注意,我已经在TLS部分声明了通配符和绝对路径,因此该证书对于没有子域的URL也将有效.
Notice that I've declared at the TLS section the wildcard AND the absolute paths, so the cert will be valid for the URLs without subdomains too.
这时,对您域的任何请求都将使用SSL重定向到某些默认服务"(创建后备入口后,证书管理器将立即为新证书颁发证书.这可能需要一段时间一旦cert-manager dns01发行者还不成熟),太好了!!!
At this point, any requests to your domain, will be redirected to "some-default-service" with SSL(cert-manager will issue for a new cert as soon as you create the fallback ingress. This can take a while once cert-manager dns01 issuer is not mature yet), great!!!
但是,如果您需要将某些特定的子域重定向到另一服务怎么办?没问题(因为它们在相同的名称空间上运行),您要做的就是为子域创建一个新的入口,将其指向您现有的wildcard-mydomain-com-tls证书密钥:
But, what if you need to redirect some specific subdomain to another service? No problem (since they're running on the same namespace), all you have to do is to create a new ingress to your subdomain, pointing it to your existing wildcard-mydomain-com-tls cert secret:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/force-ssl-redirect: "false"
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: nginx
name: somesubdomain-ingress
namespace: some-namespace
spec:
rules:
- host: somesubdomain.mydomain.com
http:
paths:
- backend:
serviceName: some-other-service
servicePort: 8080
path: /
tls:
- hosts:
- somesubdomain.mydomain.com
secretName: wildcard-mydomain-com-tls
轻松榨柠檬!!!现在,您的somesubdomain.mydomain.com会覆盖您的后备规则,并将用户发送到另一个应用程序.您在这里唯一要注意的是,该机密仅对"some-namespace"命名空间有效,如果您需要在另一个命名空间中使用此证书,则可以:
Easy peasy lemon squeezy!!! Now your somesubdomain.mydomain.com overrides your fallback rule and sends the user to another app. The only thing you should notice here is that the secret is valid only for "some-namespace" namespace, if you need to use this cert in another namespace, you could:
- 将机密从名称空间"some-namespace"复制到"other-namespace".如果这样做,请记住,证书管理器不会为其他命名空间"自动续订该证书,因此,每次证书过期时,您都必须再次复制该机密.
- 重新创建您拥有的每个命名空间的后备入口,因此您将为其分别拥有一个新的证书.这种方法比较复杂,但是完全是自动的.
我想就是这样.希望那里的人可以从此信息中受益.
I guess that's it. Hope someone out there can benefit from this info.
欢呼
这篇关于Kubernetes中具有子域重定向的通配符SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
