我通過這篇文章使用 AWS PCA 和 cert-manager 創建了一個啟用 TLS 的服務:
在我部署了一個帶有入口的演示應用程式后,我在控制節點上測驗了訪問
$ curl https://demo.my-org.com --cacert cacert.pem
收到訊息
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
在cacert.pem從AWS PCA的證書身體下載。AWSPCAClusterIssuer 和證書在 K8s 中看起來不錯。證書描述得到了這些事件:
$ kubectl describe certificate rsa-cert-2048 -n acm-pca-lab-demo
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 47m cert-manager Existing issued Secret is not up to date for spec: [spec.commonName spec.dnsNames]
Normal Reused 47m cert-manager Reusing private key stored in existing Secret resource "rsa-example-cert-2048"
Normal Requested 47m cert-manager Created new CertificateRequest resource "rsa-cert-2048-pp4c4"
Normal Issuing 47m cert-manager The certificate has been successfully issued
如果我從瀏覽器訪問得到 502 錯誤。證書頁面顯示了一個假證書和一個 alt DNS 名稱。
我確定 AWS 中的私有 CA 已成功激活。它的 arn 和區域被設定為 EKS 節點策略和 AWSPCAClusterIssuer。設定有什么問題?如何診斷問題?
部署的資源
我檢查了 acm-pca-lab-demo 命名空間中部署的資源。
$ kubectl get secret -n acm-pca-lab-demo
NAME TYPE DATA AGE
default-token-jmxt7 kubernetes.io/service-account-token 3 10h
rsa-example-cert-2048 kubernetes.io/tls 3 10h
$ kubectl get all -n acm-pca-lab-demo
NAME READY STATUS RESTARTS AGE
pod/hello-world-57df4c69f9-nnjrl 1/1 Running 0 10h
pod/hello-world-57df4c69f9-r8f4p 1/1 Running 0 10h
pod/hello-world-57df4c69f9-xgm6w 1/1 Running 0 10h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/hello-world ClusterIP 102.30.45.163 <none> 80/TCP 10h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/hello-world 3/3 3 3 10h
NAME DESIRED CURRENT READY AGE
replicaset.apps/hello-world-57df4c69f9 3 3 3 10h
$ kubectl get ingress -n acm-pca-lab-demo
NAME CLASS HOSTS ADDRESS PORTS AGE
acm-pca-demo-ingress <none> demo.my-org.com 11111111111111111111111111111111-2222222222222222.elb.us-east-1.amazonaws.com 80, 443 10h
在瀏覽器上,我也收到了這些訊息:
The certificate is not trusted because it is self-signed.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
證書檔案
我在這里從 AWS 控制臺下載了 PCA .pem 檔案。這是正確的嗎?
它的-----BEGIN CERTIFICATE-----啟動檔案。
uj5u.com熱心網友回復:
檢查您的入口配置,共享 YAML 配置 - 如果可能,您在應用程式部署中使用過。
可能沒有秘密附加到入口,因為K8s Nginx 入口 控制器默認附加默認的FAKE證書而不是您生成的證書。
例如 :
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: acm-pca-demo-ingress
namespace: acm-pca-lab-demo
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- www.rsa-2048.example.com
secretName: rsa-example-cert-2048
rules:
- host: www.rsa-2048.example.com
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: hello-world
port:
number: 80
如上所示rsa-example-cert-2048,請確保您的 secret 存在于 ingress 所在的命名空間中。
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/405038.html
標籤:
上一篇:無服務器錯誤-屬性DBSubnetGroupName的值必須是字串型別
下一篇:錯誤:呼叫RunInstances操作時發生錯誤(InvalidKeyPair.NotFound):密鑰對“key-oregon.pem”不存在