ssl - 无法在 k3s 中使用证书管理器创建颁发者
问题描述
我想在我的 kubernetes 集群上创建一个颁发者。
我遵循https://cert-manager.io/docs/installation/kubernetes/中的指南并使用 helm 安装了 cert-manager。
检查后它似乎工作正常
% kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-7998c69865-754mr 1/1 Running 6 2d21h
cert-manager-webhook-7d6d4c78bc-97g2g 1/1 Running 3 2d21h
cert-manager-cainjector-7b744d56fb-bvwjd 1/1 Running 8 2d21h
但是当我使用指南中提到的发行人对其进行测试时,它失败了
test-resources.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
dnsNames:
- example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned\
Spec:
Dns Names:
example.com
Issuer Ref:
Name: test-selfsigned
Secret Name: selfsigned-cert-tls
Status:
Conditions:
Last Transition Time: 2021-04-22T12:03:25Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Not After: 2021-07-21T12:03:25Z
Not Before: 2021-04-22T12:03:25Z
Renewal Time: 2021-06-21T12:03:25Z
Revision: 1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 4s cert-manager Issuing certificate as Secret does not exist
Normal Generated 2s cert-manager Stored new private key in temporary Secret resource "selfsigned-cert-z8ssc"
Normal Requested 2s cert-manager Created new CertificateRequest resource "selfsigned-cert-f9kmc"
Normal Issuing 1s cert-manager The certificate has been successfully issued
似乎是什么问题?
通常我使用以下发行者
letsencrypt-staging.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
# Email address used for ACME registration
email: Email
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
letsencrypt-prod.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
# Email address used for ACME registration
email: email
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
解决方案
推荐阅读
- r - ggplot2:为多列添加 p 值、Rsq 和斜率
- f# - 使用相互递归辅助函数的 F# 函数
- python-3.x - 将值动态插入 API 请求?
- .net-core - 更改证书是否会使使用 IdentityServer4.Models.Secret Sha256() 方法生成的所有机密无效?
- python - 选择 Numpy 数组的一部分
- java - 如何在 Cassandra3 中强制仅远程读取?
- python - 使用用户定义的函数进行 Python 打印
- c# - 在 UWP 应用中通过 Active Desktop 设置壁纸更改适合模式
- security - Hyperledger-fabric 是否容易受到 51% 攻击?
- powershell - 如何为创建新邮件的powershell代码添加签名?