与认证经理ClusterIssuer在AKS的问题

Question

我在集群颁发程序(cert-manager版本1.7.1)中得到了这个错误：

CA颁发者获取密钥时出错:错误解码证书PEM块

我把ca.crt，tls.crt和tls.key存储在Azure的一个密钥库里。

kubectl描述集群发行人

  Ca:
    Secret Name:  cert-manager-secret
Status:
  Conditions:
    Last Transition Time:  2022-02-25T11:40:49Z
    Message:               Error getting keypair for CA issuer: error decoding certificate PEM block
    Observed Generation:   1
    Reason:                ErrGetKeyPair
    Status:                False
    Type:                  Ready
Events:
  Type     Reason         Age                  From          Message
  ----     ------         ----                 ----          -------
  Warning  ErrGetKeyPair  3m1s (x17 over 58m)  cert-manager  Error getting keypair for CA issuer: error decoding certificate PEM block
  Warning  ErrInitIssuer  3m1s (x17 over 58m)  cert-manager  Error initializing issuer: error decoding certificate PEM block

kubectl获得簇颁发者

NAME        READY   AGE
ca-issuer   False   69m 

• 这是集群颁发者yaml文件：

ca-issuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: cert-manager-secret

这是KeyVault yaml文件，用于检索ca.crt、tls.crt和tls.key

keyvauls.yaml

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-akscacrt
  namespace: cert-manager
spec:
  vault:
    name: kv-xx # name of key vault
    object:
      name: akscacrt # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: cert-manager-secret # kubernetes secret name
      dataKey: ca.crt # key to store object value in kubernetes secret
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-akstlscrt
  namespace: cert-manager
spec:
  vault:
    name: kv-xx # name of key vault
    object:
      name: akstlscrt # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: cert-manager-secret # kubernetes secret name
      dataKey: tls.crt # key to store object value in kubernetes secret
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-akstlskey
  namespace: cert-manager
spec:
  vault:
    name: kv-xx # name of key vault
    object:
      name: akstlskey # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: cert-manager-secret # kubernetes secret name
      dataKey: tls.key # key to store object value in kubernetes secret
---

以下是所使用的证书：

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: argocd-xx
  namespace: argocd
spec:
  secretName: argocd-xx
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
  commonName: "argocd.xx"
  dnsNames:
    - "argocd.xx"
  privateKey:
    size: 4096
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sonarqube-xx
  namespace: sonarqube
spec:
  secretName: "sonarqube-xx"
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
  commonName: "sonarqube.xx"
  dnsNames:
    - "sonarqube.xx"
  privateKey:
    size: 4096

我可以从密钥库中检索证书的机密：

kubectl获得秘密-n证书-经理证书- -o yaml秘密证书

apiVersion: v1
data:
  ca.crt: XXX
  tls.crt: XXX
  tls.key: XXX

另外，另一件奇怪的事情是，我在sonarqube/argocd命名空间中获得了其他秘密，这些秘密是我以前部署的，但不在部署文件中。我不能删除它们，当我尝试删除它们时，它们会自动重新创建.看起来它们被存储在某种缓存中。另外，我试图删除名称空间akv2k8s/cert-manager，并删除cert-manager/akv2k8s控制器，并重新安装它们，但在重新安装和应用部署后，问题相同.

kubectl get secret -n sonarqube

NAME                                      TYPE                                  DATA   AGE
cert-manager-secret                       Opaque                                3      155m
default-token-c8b86                       kubernetes.io/service-account-token   3      2d1h
sonarqube-xx-7v7dh   Opaque                                1      107m
sql-db-secret                             Opaque                                2      170m

kubectl get secret -n argocd   
NAME                                   TYPE                                  DATA   AGE
argocd-xx-7b5kb   Opaque                                1      107m
cert-manager-secret-argo               Opaque                                3      157m
default-token-pjb4z                    kubernetes.io/service-account-token   3      3d15h

kubectl描述证书声呐xxx -n sonarqube

Status:
  Conditions:
    Last Transition Time:        2022-02-25T11:04:08Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2022-02-25T11:04:08Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  sonarqube-xxx-7v7dh
Events:                          <none>

有什么想法吗？

谢谢。

Answer 1

我在上传证书信息ca.crt时就知道了。tls.crt和tls.key 为纯文本，在Azure的关键库秘密中没有BASE64编码。

当AKV2K8S从密钥库中检索秘密并存储在Kubernetes中时，它会自动用BASE64编码。

致以敬意，