ssl - 将 ssl 证书添加到 helm 图表
问题描述
我在 rancher 中添加了一个 ssl cert secret,并在 helm chart 中配置了 ingress 文件,如下所示:
{{- $fullName := include "api-chart.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
{{- $apiIngressPath := .Values.ingress.apiPath -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app.kubernetes.io/name: {{ include "api-chart.name" . }}
helm.sh/chart: {{ include "api-chart.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
kubernetes.io/ingress.class: nginx
{{- with .Values.ingress.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
spec:
tls:
- hosts:
- {{ .Values.ingress.host }}
secretName: {{ .Values.ssl.certSecretName }}
rules:
- host: {{ .Values.ingress.host }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: 80
- path: {{ $apiIngressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: 8080
然而,在访问 https 站点时仍会收到默认的假 Nginx 证书。Nginx服务器也需要改吗?如果看起来很奇怪,则需要在两个地方添加证书信息。如果不是,还有什么可能是错的?
kubectl describe ingress给出以下响应:
Name: my-test-install-app72-project-jupyter-labs
Namespace: default
Address: 10.240.0.4
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
project-jupyter-labs-2.company.com
/test72-new-user my-test-install-app72-project-jupyter-labs:80 (10.244.4.20:8888)
/base-url my-test-install-app72-project-jupyter-labs:8080 (10.244.4.20:8080)
Annotations:
field.cattle.io/publicEndpoints: [{"addresses":["10.240.0.4"],
"port":80,
"protocol":"HTTP",
"serviceName":"default:my-test-install-app72-project-jupyter-labs",
"ingressName":"default:my-test-install-app72-project-jupyter-labs",
"hostname":"project-jupyter-labs-2.company.com",
"path":"/test72-new-user",
"allNodes":false},
{"addresses":["10.240.0.4"],
"port":80,
"protocol":"HTTP",
"serviceName":"default:my-test-install-app72-project-jupyter-labs",
"ingressName":"default:my-test-install-app72-project-jupyter-labs",
"hostname":"project-jupyter-labs-2.company.com",
"path":"/base-url",
"allNodes":false}]
kubernetes.io/ingress.class: nginx
meta.helm.sh/release-name: my-test-install-app72
meta.helm.sh/release-namespace: default
nginx.ingress.kubernetes.io/proxy-body-size: 2G
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 81s nginx-ingress-controller Ingress default/my-test-install-app72-project-jupyter-labs
Normal CREATE 81s nginx-ingress-controller Ingress default/my-test-install-app72-project-jupyter-labs
Normal UPDATE 23s (x2 over 23s) nginx-ingress-controller Ingress default/my-test-install-app72-project-jupyter-labs
Normal UPDATE 23s (x2 over 23s) nginx-ingress-controller Ingress default/my-test-install-app72-project-jupyter-labs
更新:我无法访问错误日志。似乎您需要以 root 身份执行到容器中才能看到这些。然而,我确实发现 nginx.conf 文件的服务器部分包含以下内容:
ssl_certificate_by_lua_block {
certificate.call()
}
如果我将其更改为手动添加到容器中的证书和密钥文件的 ssl_certifacte 和 ssl_certifacte_key 路径,那么它可以工作。以上ssl_certificate_by_lua_block对于 ingress.yaml 文件看起来是否正常?如果是这样,还有什么问题?如果没有,可能是什么原因导致无法配置?
应用以下补丁似乎允许为 https 提供正确的 SSL 证书:
kubectl patch ingress <app-instance-name> -p '{"spec":{"tls":[{"hosts":["project-jupyter-labs-2.company.com"], "secretName": "tls-secret-name"}]}}'
为什么这解决了这个问题,我仍然不清楚。我将不胜感激任何可能的解释。
解决方案
Applying the following patch seems to allow the correct SSL certificate to be made available for https:
kubectl patch ingress <app-instance-name> -p '{"spec":{"tls":[{"hosts":["project-jupyter-labs-2.company.com"], "secretName": "tls-secret-name"}]}}'Why this solves the problem is still unclear to me. I would appreciate any possible explanations.
It's nearly impossible to deduce it, without having a minimal reproducible example from you. Have a look how should minimal reproducible example look like.
We know nothing about your resulting Ingress manifest file (generated by helm), Ingress Controller version and its configuration (including way of installation), and underlying Kubernetes environment.
Just few hints:
Please remember that Ingress/Secret resources are namespaced objects, and so in your case Ingress should reference secret from the same namespace. How exactly do you create a TLS secret ?
I can assure you that your case can be reproduced in healthy Ingress Controller setup, and whenever I create secret referenced by Ingress in right namespace, it's automatically detected by controller, added to a local store, and dynamic reconfiguration takes place.
Lastly I think your issue is more suitable to be reported directly Nginx Ingress Controller github's project: https://github.com/kubernetes/ingress-nginx/issues/new
推荐阅读
- python - 时间序列数据的线性回归
- python - google.api_core.exceptions.ServiceUnavailable: 503 数据存储操作超时,或者使用流时数据暂时不可用
- javascript - 使用 context.drawImage() 时奇怪的 700 毫秒延迟;
- excel - 像改变变量一样改变范围
- angular - AKS URL 重写 Angular
- heroku - 反应应用程序的circleci和heroku问题
- node.js - 无法读取 null 的属性“名字”
- git - 修改文件后从 git 资源更新应用程序
- ruby - 为什么会调用 mjit 函数?
- jquery - 动态按钮表 onclik 事件的问题