3

我正在尝试使用 cert-manager、istio ingress 和 LetsEncrypt 在 kubernetes 中配置 SSL 证书。我已经用 helm、cert-manager 安装了 istio,创建了 ClusterIssuer,然后我正在尝试创建一个证书。无法验证 acme 挑战,我正在尝试使用 http01 进行验证,但无法弄清楚如何为此使用 istio ingress。Istio 使用以下选项进行部署:

helm install --name istio install/kubernetes/helm/istio `
--namespace istio-system `
--set global.controlPlaneSecurityEnabled=true `
--set grafana.enabled=true`
--set tracing.enabled=true 
--set kiali.enabled=true `
--set ingress.enabled=true

证书配置:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example.com
  namespace: istio-system
spec:
  secretName: example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: 'example.com'
  dnsNames:
  - example.com
  acme:
    config:
    - http01:
        ingress: istio-ingress
      domains:
      - example.com

尝试这种方式时,由于某种原因,找不到 istio-ingress,但是当尝试指定 ingressClass: some-name,而不是 ingress: istio-ingress 时,我得到 404,因为 example.com/.well-known/无法达到 acme-challenge/token。如何解决?谢谢!

4

2 回答 2

3

Istio ingress 已被弃用,您可以将 Ingress Gateway 与 DNS 质询一起使用。

定义一个通用的公共入口网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "*"
      tls:
        mode: SIMPLE
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

使用 cert-manager 支持的 DNS 提供商之一创建颁发者。这是 GCP CloudDNS 的配置:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: istio-system
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    dns01:
      providers:
      - name: cloud-dns
        clouddns:
          serviceAccountSecretRef:
            name: cert-manager-credentials
            key: gcp-dns-admin.json
          project: my-gcp-project

使用以下命令创建通配符证书:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: istio-gateway
  namespace: istio-system
spec:
  secretname: istio-ingressgateway-certs
  issuerRef:
    name: letsencrypt-prod
  commonName: "*.example.com"
  acme:
    config:
    - dns01:
        provider: cloud-dns
      domains:
      - "*.example.com"
      - "example.com"

cert-manager 颁发证书需要几分钟时间:

kubectl -n istio-system describe certificate istio-gateway

Events:
  Type    Reason         Age    From          Message
  ----    ------         ----   ----          -------
  Normal  CertIssued     1m52s  cert-manager  Certificate issued successfully

您可以在此处使用 Let's Encrypt 找到有关在 GKE 上设置 Istio 入口的分步指南https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup

于 2019-03-06T14:26:59.760 回答
1

解决方案是将 DNS 移至 azure 并使用 dns 验证来生成证书。我还使用了 istio-1.1.0-rc.3 并通过以下方式配置了网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - hosts:
    - 'mydomain.com'
    port:
      name: http-bookinfo
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - 'mydomain.com'
    port:
      name: https-bookinfo
      number: 443
      protocol: HTTPS
    tls:      
      mode: SIMPLE
      serverCertificate: "use sds" #random string, because serverCertificate and 
      #privateKey are required for tls.mode=SIMPLE
      privateKey: "use sds" 
      credentialName: "istio-bookinfo-certs-staging" #this must match the secret name 
      #from the certificate
为了在入口网关启用 SDS:

helm template install/kubernetes/helm/istio/ --name istio `
--namespace istio-system -x charts/gateways/templates/deployment.yaml `
--set gateways.istio-egressgateway.enabled=false `
--set gateways.istio-ingressgateway.sds.enabled=true > `
$HOME/istio-ingressgateway.yaml

 kubectl apply -f $HOME/istio-ingressgateway.yaml

于 2019-03-13T10:07:39.747 回答