所以基本上我尝试使用 https 进行本地开发,并且我正在考虑使用 traefik.me 将所有子域路由到本地主机;所以我想将他们的证书用于我的 kubernetes 集群中的本地应用程序。 但发行者是我不知道该怎么做,而且我对 kubernetes 和证书管理器都是新手;有人可以指导我解决这个问题吗?
这就是我目前所拥有的
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-web-ingress
namespace: myapp
annotations:
cert-manager.io/issuer: "letsencrypt-staging"
spec:
ingressClassName: nginx
tls:
- hosts:
- traefik.me
- api.traefik.me
- beta.traefik.me
- myapp.traefik.me
secretName: myapp-tls
rules:
- host: myapp.traefik.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
- host: beta.traefik.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app
port:
number: 80
- host: api.traefik.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keda-add-ons-http-interceptor-proxy
port:
number: 8080
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: myapp-tls
namespace: myapp
spec:
secretName: myapp-tls
issuerRef:
name: letsencrypt-staging
kind: Issuer
dnsNames:
- traefik.me
- api.traefik.me
- beta.traefik.me
- myapp.traefik.me
privateKey:
algorithm: RSA
size: 2048
但是证书管理器部署的日志是:
E1211 19:23:40.601353 1 sync.go:208] "propagation check failed" err="wrong status code '404', expected '200'" logger="cert-manager.controller" resource_na
me="myapp-tls-1-3528601542-974909028" resource_namespace="myapp" resource_kind="Challenge" resource_version="v1" dnsName="traefik.me" type="HTTP-01"
I1211 19:23:50.313309 1 pod.go:59] "found one existing HTTP01 solver pod" logger="cert-manager.controller.http01.selfCheck.http01.ensurePod" resource_name
="myapp-tls-1-3528601542-3776680831" resource_namespace="myapp" resource_kind="Challenge" resource_version="v1" dnsName="api.traefik.me" type="HTTP-01" related_re
source_name="cm-acme-http-solver-jzh75" related_resource_namespace="myapp" related_resource_kind="" related_resource_version=""
I1211 19:23:50.313399 1 service.go:45] "found one existing HTTP01 solver Service for challenge resource" logger="cert-manager.controller.http01.selfCheck.
http01.ensureService" resource_name="myapp-tls-1-3528601542-3776680831" resource_namespace="myapp" resource_kind="Challenge" resource_version="v1" dnsName="api.tr
aefik.me" type="HTTP-01" related_resource_name="cm-acme-http-solver-h49bd" related_resource_namespace="myapp" related_resource_kind="" related_resource_version="
"
您当前的设置使用 HTTP-01 质询,您的 traefik.me 配置不支持该质询。它试图通过 ACME 提供商 (Let’s Encrypt) 验证您在公共互联网上的域名所有权。然而,这在您的用例中是不可行的,因为您将其用于本地部署。
如果您仍然使用 traefik.me,您可以根据您的用例切换到 自签名证书。
添加颁发者并将其指向您的证书:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: issuer-selfsigned
namespace: myapp
spec:
selfSigned: {}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: myapp-tls
namespace: myapp
spec:
secretName: myapp-tls
issuerRef:
name: issuer-selfsigned #update this line with your new issuer
kind: Issuer
dnsNames:
- api.traefik.me
- beta.traefik.me
- myapp.traefik.me
privateKey:
algorithm: RSA
size: 2048