两个Nginx Ingress控制器Azure K8s群集的两个TLS证书 [英] Two TLS certificate for two Nginx Ingress controller Azure K8s cluster

查看:74
本文介绍了两个Nginx Ingress控制器Azure K8s群集的两个TLS证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有两个入口控制器,其中一个在 default 名称空间中具有默认类 nginx ,而第二个入口控制器具有 nginx类:nginx-devices .

I have two ingress controller one with default class nginx in default namespace, while the second ingress controller has a nginx class: nginx-devices.

证书管理器已使用Helm安装.

Cert-manager is already installed using Helm.

我使用 ClusterIssuer 和用于路由 Ingress 的入口资源规则,从第一个控制器的Lets Encrypt获得了TLS证书.

I managed to get TLS certificate from Lets Encrypt for the first controller, using ClusterIssuer and ingress resource rules for routing Ingress.


apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  # name: letsencrypt-staging
  name: letsencrypt-prod
spec:
  acme:
    email: xx
    # server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # name: letsencrypt-staging
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

入口路由:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: serviceA-ingress-rules
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - FirstService.cloudapp.azure.com
    secretName: tls-secret
  rules:
  - host: FirstService.cloudapp.azure.com
    http:
      paths:
      - path: /serviceA
        backend:
          serviceName: serviceA
          servicePort: 80

但是,要为第二个入口控制器创建第二个TLS证书,则不会创建TLS秘密

However, for creating the second TLS certificate for the second ingress controller, the TLS secret is not created

ClusterIssuer

ClusterIssuer

# k8s/cluster-issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  # name: letsencrypt-staging
  name: letsencrypt-prod-devices
  namespace: ingress-nginx-devices # namespace where the second ingress controller is installed
spec:
  acme:
    email: xxx
    # server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # name: letsencrypt-staging
      name: letsencrypt-prod-devices
    solvers:
    - http01:
        ingress:
          class: nginx-devices # ingress class of the second ingress controller

入口路由

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: devices-ingress-rules
  namespace: default # since all the services are in default namespace
  annotations:
    kubernetes.io/ingress.class: nginx-devices # ingress class of the second ingress controller
    cert-manager.io/cluster-issuer: "letsencrypt-prod-devices" 
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - secondService.cloudapp.azure.com
    secretName: tls-secret
  rules:
  - host: secondService.cloudapp.azure.com
    http:
      paths:
      - path: /serviceB
        backend:
          serviceName: serviceB
          servicePort: 80

通过查看秘密,我只能看到: kubectl获取秘密-n ingress-nginx-devices

by looking at the secret I can only see: kubectl get secrets -n ingress-nginx-devices

NAME                                          TYPE                                  DATA   AGE
default-token-xzp95                           kubernetes.io/service-account-token   3      92m
nginx-ingress-devices-backend-token-pd4vf     kubernetes.io/service-account-token   3      64m
nginx-ingress-devices-token-qvvps             kubernetes.io/service-account-token   3      64m
sh.helm.release.v1.nginx-ingress-devices.v1   helm.sh/release.v1                    1      64m

在默认命名空间中:

tls-secret                                          kubernetes.io/tls                     2      134m

为什么第二个tls-secret没有生成?这里可能出什么问题了?

Why the second tls-secret is not being generated ? what could go wrong here ?

我们将不胜感激:)

推荐答案

您的第二个群集发行者名称空间是: ingress-nginx-devices 理想情况下,它应处于默认入口的名称空间位于默认名称空间中.

your second cluster issuer namespace is : ingress-nginx-devices ideally it should be in the default namespace as your ingress is in the default namespace.

将这三个保留在相同的名称空间中:

Keep these three in same namespace :

  1. 入口
  2. 集群发行人
  3. 服务

如果一切正常,您将在默认名称空间

if everything will work well you will see the secret in default namespace

也在您的clusterissuer的YAML中

also in your YAML of clusterissuer

privateKeySecretRef:
      # name: letsencrypt-staging
      name: letsencrypt-prod-devices

您的秘密名称是: letencrypt-prod-devices

但进入时是: tls-secret

保持相同,否则将无法正常工作

keep it same otherwise wont work

在此共享了 clusterissuer ingress 的完整示例,它们位于同一命名空间中.您可以根据需要更改秘密名称,clusterissuer名称.Clusterissuer会自动给秘密者和秘密者提供证明者名称,从而自动创建秘密.进入(匹配)的clusterissuer.

here sharing a full example of clusterissuer and ingress keep in the same namespace. You can change the secret name, clusterissuer name as per need. Clusterissuer will create the secret automatically just give prover names of secret & clusterissuer in ingress (matching).

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

这篇关于两个Nginx Ingress控制器Azure K8s群集的两个TLS证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆