使用 Azure Kubernetes 设置 CertBot -- Ingress 问题

问题描述 投票:0回答:1

我已经在 Azure Kubernetes 上设置了该项目。我有两个服务:一个 API 和一个前端,它们运行正常。

但是当我配置 certbot 时,入口不会将请求路由到 certbot pod。

我如何设置 certbot:certbot-deplyment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: certbot
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: certbot
  template:
    metadata:
      labels:
        app: certbot
    spec:
      containers:
      - name: certbot
        image: certbot/certbot
        args: [
          "certonly", 
          "--webroot", 
          "--webroot-path=/var/www/certbot", 
          "--email", "[email protected]", 
          "--agree-tos", 
          "--no-eff-email", 
          "--force-renewal", 
          "--staging",  # <-- This enables staging environment
          "-d staging.example.com"
        ]
        
        command: ["/bin/sh", "-c", "sleep 3600"]  # Keep container alive for 1 hour
        volumeMounts:
        - name: certbot-webroot
          mountPath: /var/www/certbot
        - name: certbot-storage
          mountPath: /etc/letsencrypt
        # Disable liveness and readiness probes
        livenessProbe: null
        readinessProbe: null
      volumes:
      - name: certbot-webroot
        emptyDir: {}
      - name: certbot-storage
        persistentVolumeClaim:
          claimName: certbot-pvc

certbot-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: certbot
  namespace: default
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: certbot  # Make sure this label matches your Certbot pod
  type: ClusterIP

Ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exampleapp
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: webapprouting.kubernetes.azure.com
  rules:
    - host: staging.example.com
      http:
        paths:
          - path: /.well-known/acme-challenge
            pathType: Prefix
            backend:
              service:
                name: certbot
                port:
                  number: 80
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: appbackend
                port:
                  number: 80
          - path: /
            pathType: Prefix
            backend:
              service:
                name: appfrontend
                port:
                  number: 80

以下是来自 nginx 负载均衡器 pod 的日志:

"GET /favicon.ico HTTP/1.1" 200 305 "http://staging.example.com/.well-known/acme-challenge/test.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" 538 0.001 [default-appfrontend-80] [] 10.244.0.218:80 305 0.001 200 c607eb8c784c2c4c494653aa99e28655
azure azure-aks
1个回答
0
投票

我将其发布作为此问题的解决方案,建议仅使用证书管理器。请随意添加或编辑此答案以添加我遗漏的任何要点。对于在 SO 上寻找类似问题答案的人来说可能很有用。

要解决 Ingress 未将请求路由到 CertBot pod 的问题,我建议使用 cert-manager 而不是手动配置 CertBot,因为它简化了使用 Kubernetes 管理 TLS 证书的过程,并通过 Let's Encrypt 自动颁发和续订证书。

安装证书管理器(我使用的是helm)

kubectl label namespace ingress cert-manager.io/disable-validation=true

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install cert-manager jetstack/cert-manager \
  --namespace ingress \
  --version v1.12.1 \
  --set installCRDs=true

enter image description here

为 Let's Encrypt 创建 ClusterIssuer 

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-account-key
    solvers:
    - http01:
        ingress:
          class: nginx

enter image description here

更新您的 Ingress 资源以使用证书管理器

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exampleapp
  namespace: default
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - host: whatever name you have registered with your DNS provider (such as GoDaddy etc)
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: appfrontend
            port:
              number: 80
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: appbackend
            port:
              number: 80
  tls:
  - hosts:
    - whatever name you have registered with your DNS provider (such as GoDaddy etc)
    secretName: staging-tls

这将请求 TLS 证书并将其存储在秘密中 

staging-tls

enter image description here

详细步骤提到这里

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.