我有一个 terraform 代码,它将部署前端应用程序并具有 ingress.yaml helm 图表。
ingress.yaml
{{- if .Values.ingress.enabled -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ .Values.global.namespace }}-ingress
namespace: {{ .Values.global.namespace }}
labels:
{{- include "test-frontend.labels" . | nindent 4 }}
annotations:
kubernetes.io/ingress.class: "gce-internal"
kubernetes.io/ingress.allow-http: "false"
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
backend:
serviceName: {{ .servicename }}
servicePort: {{ .serviceport }}
{{- end }}
{{- end }}
{{- end }}
values.yaml
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "gce-internal"
kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
kubernetes.io/ingress.allow-http: "false"
hosts:
- host: test-dev.test.com
paths:
- path: "/*"
servicename: test-frontend-service
serviceport: 80
- path: "/api/*"
servicename: test-backend-service
serviceport: 80
tls:
- hosts:
- test-dev.test.com
secretName: ingress-tls-credential-file
type: kubernetes.io/tls
crt: <<test.pem value>>
key: <<test.key value>>
terraform apply
命令运行成功。在 GCP 中,证书也被接受并进入 GCP 中的 Kubernetes 服务内部并运行。但是如果我将 .crt 和 .key 作为 terraform 代码中的 values.yaml
中的文件传递
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "gce-internal"
kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
kubernetes.io/ingress.allow-http: "false"
hosts:
- host: test-dev.test.com
paths:
- path: "/*"
servicename: test-frontend-service
serviceport: 80
- path: "/api/*"
servicename: test-backend-service
serviceport: 80
tls:
- hosts:
- test-dev.test.com
secretName: ingress-tls-credential-file
type: kubernetes.io/tls
crt: file(../../.secret/test.crt)
key: file(../../.secret/test.key)
values.yaml
将把证书发送到helm->template->secret.yaml,这将创建秘密(ingress-tls-credential-file)
secret.yaml
{{- if .Values.ingress.tls }}
{{- $namespace := .Values.global.namespace }}
{{- range .Values.ingress.tls }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .secretName }}
namespace: {{ $namespace }}
labels:
{{- include "test-frontend.labels" $ | nindent 4 }}
type: {{ .type }}
data:
tls.crt: {{ toJson .crt | b64enc | quote }}
tls.key: {{ toJson .key | b64enc | quote }}
{{- end }}
{{- end }}
我们在 GCP -> Kubernetes Engine -> Service & Ingress 中收到以下错误。如何将文件传递到values.yaml 文件。
同步到 GCP 时出错:运行负载均衡器同步例程时出错: 负载均衡器 6370cwdc-isp-isp-ingress-ixjheqwi 不存在:证书 创建失败 - k8s2-cr-6370cwdc-q0ndkz9m629eictm-ca5d0f56ba7fe415 错误:googleapi:错误 400:无法解析 SSL 证书。, sslCertificate无法解析Cert
因此谷歌可以接受您的证书和密钥文件,您需要确保它们具有正确的格式,按照后续步骤
gcloud compute ssl-certificates create CERTIFICATE_NAME \
--certificate=CERTIFICATE_FILE \
--private-key=PRIVATE_KEY_FILE \
--region=REGION \
--project=PROJECT_ID
然后您需要完成更多步骤,以确保您拥有 .yaml 文件中所需的所有参数,并且您拥有适当的服务来接受来自该文件的信息(您可能已经完成了这些步骤):
gcloud services enable container.googleapis.com \
--project=PROJECT_ID
gcloud container clusters create CLUSTER_NAME \
--release-channel=rapid \
--enable-ip-alias \
--network=NETWORK_NAME \
--subnetwork=BACKEND_SUBNET_NAME \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--region=REGION --machine-type=MACHINE_TYPE \
--project=PROJECT_ID
echo -n 'CLIENT_ID' | base64
echo -n 'CLIENT_SECRET' | base64
gcloud compute addresses create STATIC_ADDRESS_NAME \
--region=REGION --subnet=BACKEND_SUBNET_NAME \
--project=PROJECT_ID
gcloud compute addresses describe STATIC_ADDRESS_NAME \
--region=REGION \
--project=PROJECT_ID
7.通过复制 gke_internal_ip_config_example.yaml 并将其重命名为 PROJECT_ID_gke_config.yaml 来创建值 YAML 文件:
clientIDEncoded
:之前步骤中的 Base64 编码的 CLIENT_ID。clientSecretEncoded
:之前步骤中的 Base64 编码的 CLIENT_SECRET。certificate.name
:您之前创建的CERTIFICATE_NAME。initialEmail
:将设置自定义治理的初始用户的 INITIAL_USER_EMAIL 电子邮件。staticIpName
:您之前创建的 STATIC_ADDRESS_NAME。
完成上述步骤后再次尝试部署。
你似乎混淆了秘密和直接的定义。 您需要首先创建
ingress-tls-credential-file
秘密,然后将其链接到您的入口定义中,如示例 https://kubernetes.io/fr/docs/concepts/services-networking/ingress/#tls
apiVersion: v1
data:
tls.crt: file(../../.secret/test.crt)
tls.key: file(../../.secret/test.key)
kind: Secret
metadata:
name: ingress-tls-credential-file
namespace: default
type: kubernetes.io/tls
然后清洁你的入口
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "gce-internal"
kubernetes.io/ingress.regional-static-ip-name : "ingress-internal-static-ip"
kubernetes.io/ingress.allow-http: "false"
hosts:
- host: test-dev.test.com
paths:
- path: "/*"
servicename: test-frontend-service
serviceport: 80
- path: "/api/*"
servicename: test-backend-service
serviceport: 80
tls:
- hosts:
- test-dev.test.com
secretName: ingress-tls-credential-file
type: kubernetes.io/tls
在 Ingress 添加
cert-manager.io/common-name
注释后已修复。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: my-ip
cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
cert-manager.io/common-name: test.com
根本原因是因为证书中的“Issuer”值(由我们的自签名集群颁发者证书管理器生成)为空。我们的一位工程师表示,空的 Issuer 值违反了一些 SSL 规范。
通用名注释前的证书:
openssl x509 -in tls.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:32:e2:6f:0e:c9:08:cc:ac:78:3a:9b:..
Signature Algorithm: sha256WithRSAEncryption
Issuer:
Validity
Not Before: Nov 5 23:03:40 2024 GMT
Not After : Feb 3 23:03:40 2025 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
添加
cert-manager.io/common-name
注释后,证书就会变成这样
openssl x509 -in tls.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:c8:97:6d:d2:07:9e:09:7b:ba:..
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = test.com
Validity
Not Before: Nov 8 19:16:56 2024 GMT
Not After : Feb 6 19:16:56 2025 GMT
Subject: CN = test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus: