1
我使用nginx-ingress控制器在GKE上設置了一個新的kubernetes集羣。 TLS不起作用,它使用假證書。Kubernetes NGINX Ingress控制器沒有拿起TLS證書
有很多配置細節,所以我做了一個回購協議 - https://github.com/jobevers/test_ssl_ingress
總之步驟是
- 創建沒有GKE的負載平衡器一個新的集羣
- 創建TLS祕密與我key and cert
- 創建一個nginx入口部署/ pod
- 創建一個入口控制器
nginx-ingress配置來自https://zihao.me/post/cheap-out-google-container-engine-load-balancer/(看起來非常類似於ingress-nginx回購中的很多示例)。
我ingress.yaml幾乎是相同的the example one
當我運行嫋嫋,我得到
$ curl -kv https://35.196.134.52
[...]
* common name: Kubernetes Ingress Controller Fake Certificate (does not match '35.196.134.52')
[...]
* issuer: O=Acme Co,CN=Kubernetes Ingress Controller Fake Certificate
[...]
這表明我仍在使用默認的證書。
我該如何得到它使用我的?
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ssl-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: tls-secret
rules:
- http:
paths:
- path:/
backend:
serviceName: demo-echo-service
servicePort: 80
kubectl create secret tls tls-secret --key tls/privkey.pem --cert tls/fullchain.pem
調試進一步,該證書被發現存在於服務器上:
$ kubectl -n kube-system exec -it $(kubectl -n kube-system get pods | grep ingress | head -1 | cut -f 1 -d " ") -- ls -1 /ingress-controller/ssl/
default-fake-certificate-full-chain.pem
default-fake-certificate.pem
default-tls-secret-full-chain.pem
default-tls-secret.pem
而且,從日誌中,我看到
kubectl -n kube-system log -f $(kubectl -n kube-system get pods | grep ingress | head -1 | cut -f 1 -d " ")
[...]
I1013 17:21:45.423998 6 queue.go:111] syncing default/test-ssl-ingress
I1013 17:21:45.424009 6 backend_ssl.go:40] starting syncing of secret default/tls-secret
I1013 17:21:45.424135 6 ssl.go:60] Creating temp file /ingress-controller/ssl/default-tls-secret.pem236555242 for Keypair: default-tls-secret.pem
I1013 17:21:45.424946 6 ssl.go:118] parsing ssl certificate extensions
I1013 17:21:45.743635 6 backend_ssl.go:102] found 'tls.crt' and 'tls.key', configuring default/tls-secret as a TLS Secret (CN: [...])
[...]
但是,看着nginx.conf,其依然採用了假證書:
$ kubectl -n kube-system exec -it $(kubectl -n kube-system get pods | grep ingress | head -1 | cut -f 1 -d " ") -- cat /etc/nginx/nginx.conf | grep ssl_cert
ssl_certificate /ingress-controller/ssl/default-fake-certificate.pem;
ssl_certificate_key /ingress-controller/ssl/default-fake-certificate.pem;
你可以添加你的入口定義和祕密定義嗎? –
@NorbertvanNobelen更新了原來的問題 – jobevers