kubernetes - ClusterIssuer 与基于 Cloudflare 的 DNS 求解器
问题描述
我正在尝试在 AKS 上安装 cert-manager ClusterIssuer,并且因为集群位于 Azure 应用程序网关后面,所以我已经走上了使用 DNS 求解器而不是 HTTP 的路线。但是,挑战失败并出现调用 Cloudflare API 的错误。我已经通过代码片段编辑了电子邮件和域,输出kubectl describe challenge rabt-cert-tls-g4mcl-1991965707-2468967546
是:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 72s cert-manager Challenge scheduled for processing
Warning PresentError 3s (x5 over 71s) cert-manager Error presenting challenge: Cloudflare API Error for GET "/zones?name=<domain>"
Error: 6003: Invalid request headers<- 6103: Invalid format for X-Auth-Key header
我遵循了 https://blog.darkedges.com/2020/05/04/cert-manager-kubernetes-cloudflare-dns-update/ 上的指南和https://github.com/jetstack/cert-上的问题manager/issues/3021和https://github.com/jetstack/cert-manager/issues/2384但在发行者的 apiVersion 之外看不到任何差异。我已经对照官方文档检查了这一点,并且这些指南中的内容没有任何变化。
入口和集群发行者之间的关系似乎很好;如果我删除并重新创建入口,则会创建新证书、订单和挑战。我已验证已填充密钥,并且可以将其打印到控制台,因此不应在标头中发送空白字符串。令牌是有效的,我可以使用来自 CloudFlare 的示例 CURL 请求来检查它的有效性。
有没有什么地方我可以看到日志并确切地找出正在发送的内容?
集群发行者
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: ${CLOUDFLARE_API_TOKEN}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: rabt-letsencrypt
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: <email>
# ACME server URL for Let’s Encrypt’s staging environment.
# The staging environment will not issue trusted certificates but is
# used to ensure that the verification process is working properly
# before moving to production
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: rabt-letsencrypt-key
# Enable the HTTP-01 challenge provider
# you prove ownership of a domain by ensuring that a particular
# file is present at the domain
solvers:
- dns01:
cloudflare:
email: <email>
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-key
入口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rabt-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/backend-protocol: https
appgw.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: rabt-letsencrypt
cert-manager.io/acme-challenge-type: dns01
appgw.ingress.kubernetes.io/backend-path-prefix: "/"
spec:
tls:
- hosts:
- "*.rabt.<domain>"
secretName: rabt-cert-tls
rules:
- host: "mq.rabt.<domain>"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rabt-mq
port:
number: 15672
- host: es.rabt.<domain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rabt-db-es-http
port:
number: 9200
- host: "kibana.rabt.<domain>"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rabt-kb-http
port:
number: 5601
解决方案
正如Harsh Manvar猜测的那样,这是秘密的问题。我没有通过envsubstkubectl apply
运行命令,所以它对文字字符串“${CLOUDFLARE_API_TOKEN}”进行了编码
推荐阅读
- java - 如何将 2 个字节从 byte[] 转换为 Char / short(2 个字节)?
- sql-server - 在 SQL Server 中添加不同的
- android - React Native Android 应用程序发布构建(使用 Hermes)仅在通过 Play 商店下载时很慢
- box - 无法将文件上传到盒子
- reactjs - 在 useEffect 中反应内存泄漏警告
- flutter - Firebase 存储 url 私有访问
- java - 尝试运行 appium 但应用程序自动关闭并显示错误
- python-3.x - 蟒蛇:任务得到了不好的收益:
- docker - 无法让 PostGis 图像改为用作本地文件
- java - 在 xml 的响应正文中删除 <