我已经在 Azure Kubernetes 上设置了该项目。我有两个服务:一个 API 和一个前端,它们运行正常。
但是当我配置 certbot 时,入口不会将请求路由到 certbot pod。
我如何设置 certbot:certbot-deplyment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: certbot
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: certbot
template:
metadata:
labels:
app: certbot
spec:
containers:
- name: certbot
image: certbot/certbot
args: [
"certonly",
"--webroot",
"--webroot-path=/var/www/certbot",
"--email", "[email protected]",
"--agree-tos",
"--no-eff-email",
"--force-renewal",
"--staging", # <-- This enables staging environment
"-d staging.example.com"
]
command: ["/bin/sh", "-c", "sleep 3600"] # Keep container alive for 1 hour
volumeMounts:
- name: certbot-webroot
mountPath: /var/www/certbot
- name: certbot-storage
mountPath: /etc/letsencrypt
# Disable liveness and readiness probes
livenessProbe: null
readinessProbe: null
volumes:
- name: certbot-webroot
emptyDir: {}
- name: certbot-storage
persistentVolumeClaim:
claimName: certbot-pvc
certbot-service.yaml
apiVersion: v1
kind: Service
metadata:
name: certbot
namespace: default
spec:
ports:
- port: 80
targetPort: 80
selector:
app: certbot # Make sure this label matches your Certbot pod
type: ClusterIP
Ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: exampleapp
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: webapprouting.kubernetes.azure.com
rules:
- host: staging.example.com
http:
paths:
- path: /.well-known/acme-challenge
pathType: Prefix
backend:
service:
name: certbot
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: appbackend
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: appfrontend
port:
number: 80
以下是来自 nginx 负载均衡器 pod 的日志:
"GET /favicon.ico HTTP/1.1" 200 305 "http://staging.example.com/.well-known/acme-challenge/test.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" 538 0.001 [default-appfrontend-80] [] 10.244.0.218:80 305 0.001 200 c607eb8c784c2c4c494653aa99e28655
我将其发布作为此问题的解决方案,建议仅使用证书管理器。请随意添加或编辑此答案以添加我遗漏的任何要点。对于在 SO 上寻找类似问题答案的人来说可能很有用。
要解决 Ingress 未将请求路由到 CertBot pod 的问题,我建议使用 cert-manager 而不是手动配置 CertBot,因为它简化了使用 Kubernetes 管理 TLS 证书的过程,并通过 Let's Encrypt 自动颁发和续订证书。
安装证书管理器(我使用的是helm)
kubectl label namespace ingress cert-manager.io/disable-validation=true
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace ingress \
--version v1.12.1 \
--set installCRDs=true
为 Let's Encrypt 创建 ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- http01:
ingress:
class: nginx
更新您的 Ingress 资源以使用证书管理器
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: exampleapp
namespace: default
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: whatever name you have registered with your DNS provider (such as GoDaddy etc)
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: appfrontend
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: appbackend
port:
number: 80
tls:
- hosts:
- whatever name you have registered with your DNS provider (such as GoDaddy etc)
secretName: staging-tls
这将请求 TLS 证书并将其存储在秘密中
staging-tls
。
详细步骤提到这里