Kubernetes证书经理在AWS ALB入口没有发现证书
Kubernetes证书经理在AWS ALB入口没有发现证书
提问于 2022-09-25 09:32:06
已经有一段时间了,我不能让它开始工作了。基本上,我在AWS上有一个K8s集群,ExternalDNS已经设置并工作,现在我正在尝试添加带有证书管理器的TLS/SSL证书。
这些都是我的心声:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: my-email
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- selector:
dnsZones:
- "example.it"
- "*.example.it"
dns01:
route53:
region: eu-central-1
hostedZoneID: HOSTEDZONEID
accessKeyID: ACCESSKEYID
secretAccessKeySecretRef:
name: route53-secret
key: secretkey
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: ClusterIssuer
name: letsencrypt-cluster-issuer
commonName: "*.example.it"
dnsNames:
- "*.example.it"ExternalDNS:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-dns
labels:
app.kubernetes.io/name: external-dns
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "pods", "nodes"]
verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
labels:
app.kubernetes.io/name: external-dns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: externaldns # change to desired namespace: externaldns, kube-addons
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
labels:
app.kubernetes.io/name: external-dns
spec:
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: external-dns
template:
metadata:
labels:
app.kubernetes.io/name: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: k8s.gcr.io/external-dns/external-dns:v0.11.0
args:
- --source=service
- --source=ingress
- --domain-filter=example.it # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
- --provider=aws
- --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
- --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
- --registry=txt
- --txt-owner-id=external-dns
env:
- name: AWS_DEFAULT_REGION
value: eu-central-1 # change to region where EKS is installed证书管理器部署在cert-manager名称空间中,而ExternalDNS部署在其externaldns命名空间中。AWS在kube-system。
最后,我的入口部署在default ns中:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: master
namespace: default
labels:
name: master
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
alb.ingress.kubernetes.io/group.name: "alta"
alb.ingress.kubernetes.io/group.order: "0"
alb.ingress.kubernetes.io/ssl-redirect: "443"
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
spec:
ingressClassName: alb
tls:
- hosts:
- "example.it"
secretName: "tls-secret"
rules:
- host: example.it
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: echoserver # random test service, returns some page w/some info
port:
number: 80有了所有这些配置,我仍然在我的入口中得到“没有找到主机:example.it的证书”。证书正在签发,一切看起来都很好。你有什么主意吗?这事我要疯了。
回答 1
Stack Overflow用户
回答已采纳
发布于 2022-10-12 09:36:27
如果有人遇到同样的问题,请发布这篇文章。
基本上,AWS不支持证书管理器,您必须转到AWS,在那里获取一个证书,然后通过入口上的certificate-arn注释添加它。那一切都该开始运作了。这件事的编辑。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73843439
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号