两个Nginx Ingress控制器Azure K8s群集的两个TLS证书 [英] Two TLS certificate for two Nginx Ingress controller Azure K8s cluster
问题描述
我有两个入口控制器,其中一个在 default
名称空间中具有默认类 nginx
,而第二个入口控制器具有 nginx类:nginx-devices
.
I have two ingress controller one with default class nginx
in default
namespace, while the second ingress controller has a nginx class: nginx-devices
.
证书管理器已使用Helm安装.
Cert-manager is already installed using Helm.
我使用 ClusterIssuer
和用于路由 Ingress
的入口资源规则,从第一个控制器的Lets Encrypt获得了TLS证书.
I managed to get TLS certificate from Lets Encrypt for the first controller, using ClusterIssuer
and ingress resource rules for routing Ingress
.
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod
spec:
acme:
email: xx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
入口路由:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: serviceA-ingress-rules
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- FirstService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: FirstService.cloudapp.azure.com
http:
paths:
- path: /serviceA
backend:
serviceName: serviceA
servicePort: 80
但是,要为第二个入口控制器创建第二个TLS证书,则不会创建TLS秘密
However, for creating the second TLS certificate for the second ingress controller, the TLS secret is not created
ClusterIssuer
ClusterIssuer
# k8s/cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
namespace: ingress-nginx-devices # namespace where the second ingress controller is installed
spec:
acme:
email: xxx
# server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
solvers:
- http01:
ingress:
class: nginx-devices # ingress class of the second ingress controller
入口路由
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: devices-ingress-rules
namespace: default # since all the services are in default namespace
annotations:
kubernetes.io/ingress.class: nginx-devices # ingress class of the second ingress controller
cert-manager.io/cluster-issuer: "letsencrypt-prod-devices"
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- secondService.cloudapp.azure.com
secretName: tls-secret
rules:
- host: secondService.cloudapp.azure.com
http:
paths:
- path: /serviceB
backend:
serviceName: serviceB
servicePort: 80
通过查看秘密,我只能看到: kubectl获取秘密-n ingress-nginx-devices
by looking at the secret I can only see: kubectl get secrets -n ingress-nginx-devices
NAME TYPE DATA AGE
default-token-xzp95 kubernetes.io/service-account-token 3 92m
nginx-ingress-devices-backend-token-pd4vf kubernetes.io/service-account-token 3 64m
nginx-ingress-devices-token-qvvps kubernetes.io/service-account-token 3 64m
sh.helm.release.v1.nginx-ingress-devices.v1 helm.sh/release.v1 1 64m
在默认命名空间中:
tls-secret kubernetes.io/tls 2 134m
为什么第二个tls-secret没有生成?这里可能出什么问题了?
Why the second tls-secret is not being generated ? what could go wrong here ?
我们将不胜感激:)
推荐答案
您的第二个群集发行者名称空间是: ingress-nginx-devices 理想情况下,它应处于默认入口的名称空间位于默认名称空间中.
your second cluster issuer namespace is : ingress-nginx-devices ideally it should be in the default namespace as your ingress is in the default namespace.
将这三个保留在相同的名称空间中:
Keep these three in same namespace :
- 入口
- 集群发行人
- 服务
如果一切正常,您将在默认名称空间
if everything will work well you will see the secret in default namespace
也在您的clusterissuer的YAML中
also in your YAML of clusterissuer
privateKeySecretRef:
# name: letsencrypt-staging
name: letsencrypt-prod-devices
您的秘密名称是: letencrypt-prod-devices
但进入时是: tls-secret
保持相同,否则将无法正常工作
keep it same otherwise wont work
在此共享了 clusterissuer 和 ingress 的完整示例,它们位于同一命名空间中.您可以根据需要更改秘密名称,clusterissuer名称.Clusterissuer会自动给秘密者和秘密者提供证明者名称,从而自动创建秘密.进入(匹配)的clusterissuer.
here sharing a full example of clusterissuer and ingress keep in the same namespace. You can change the secret name, clusterissuer name as per need. Clusterissuer will create the secret automatically just give prover names of secret & clusterissuer in ingress (matching).
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
这篇关于两个Nginx Ingress控制器Azure K8s群集的两个TLS证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!