0

我想在运行 istio 的 kubernetes 集群中使用 cert-manager 订购证书。不幸的是,证书经理没有正确订购我的证书。在我的 cert-manager pod 的日志中,我发现这条消息一遍又一遍地发送垃圾邮件:

cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="istio-system/controller-certificate-1405129842-0"

cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="istio-system/controller-certificate-1405129842-0"

cert-manager/controller/challenges/http01/selfCheck/http01/ensurePod "level"=0 "msg"="found one existing HTTP01 solver pod" "dnsName"="<somename>.westeurope.cloudapp.azure.com" "related_resource_kind"="Pod" "related_resource_name"="cm-acme-http-solver-6k5fk" "related_resource_namespace"="istio-system" "reso
urce_kind"="Challenge" "resource_name"="controller-certificate-1405129842-0" "resource_namespace"="istio-system" "type"="http-01"

cert-manager/controller/challenges/http01/selfCheck/http01/ensureService "level"=0 "msg"="found one existing HTTP01 solver Service for
challenge resource" "dnsName"="<somename>.westeurope.cloudapp.azure.com" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-wkz8d" "related_r
esource_namespace"="istio-system" "resource_kind"="Challenge" "resource_name"="controller-certificate-1405129842-0" "resource_namespace"="istio-system" "type"="http-01"

cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress "level"=0 "msg"="found one existing HTTP01 solver ingress" "dn
sName"="<somename>.westeurope.cloudapp.azure.com" "related_resource_kind"="Ingress" "related_resource_name"="cm-acme-http-solver-8b6lf" "related_resource_namespace"="ist
io-system" "resource_kind"="Challenge" "resource_name"="controller-certificate-1405129842-0" "resource_namespace"="istio-system" "type"="http-01"

cert-manager/controller/challenges "msg"="propagation check failed" "error"="wrong status code '404', expected '200'" "dnsName"="
.westeurope.cloudapp.azure.com" "resource_kind"="Challenge" "resource_name"="controller-certificate-1405129842-0" "resource_namespace"="istio-system" "type"="http-01"

我将在 Azure 中运行的 Kubernetes 1.9.9 与 Istio 结合使用。我想要 istio-ingressgateway 的证书,这样我就可以通过 ingressgateway 负载均衡器使用 https 公开我的服务。我不确定为什么以及返回错误代码 404 的确切原因是什么?

我尝试按照本教程进行操作:https ://medium.com/@gregoire.waymel/istio-cert-manager-lets-encrypt-demystified-c1cbed011d67 。

这是我的网关


apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-gateway
  #namespace: istio-system
  labels:
    app: ingressgateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      protocol: HTTPS
      name: https-default
    tls:
      mode: SIMPLE
      serverCertificate: "sds"
      privateKey: "sds"
      credentialName: "controller-certificate"
    hosts:
    - "*"

...根据教程,这是我的另一个网关:


apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-autogenerated-k8s-ingress
  namespace: istio-system
  labels:
    app: ingressgateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      protocol: HTTP2
      name: http
    hosts:
    - "*"

这就是我的证书的样子。 

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: controller-certificate
  namespace: istio-system
spec:
  secretName: controller-certificate
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: <somename>.westeurope.cloudapp.azure.com
  dnsNames:
  - <somename>.westeurope.cloudapp.azure.com
  acme:
    config:
    - http01:
        ingressClass: istio
      domains:
      - <somename>.westeurope.cloudapp.azure.com

有谁知道在这种情况下要查找什么或可能导致错误代码 404 的原因?

4

0 回答 0