0

我正在使用 AWS NLB,因此 SSL 应该发生在 argocd (1.7.8) 端。但是,我似乎什么也没做 argocd 总是使用自签名证书。

➜ curl -vvI https://argocd-dev.example.com
*   Trying 54.18.49.47:443...
* Connected to argocd-dev.example.com (54.18.49.47) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

这是我的入口

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: argocd-dev.example.com
    http:
      paths:
      - backend:
          serviceName: argocd-server
          servicePort: https

这就是我启动 argocd-server 的方式:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/name: argocd-server
    app.kubernetes.io/part-of: argocd
  name: argocd-server
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
  template:
    metadata:
      labels:
        app.kubernetes.io/name: argocd-server
    spec:
      containers:
      - command:
        - argocd-server
        - --staticassets
        - /shared/app
        - --loglevel 
        - debug
        - --client-certificate 
        - /var/ssl-cert/tls.crt
        - --client-key
        - /var/ssl-cert/tls.key
        image: argoproj/argocd:v1.7.8
        imagePullPolicy: Always
        name: argocd-server
        ports:
        - containerPort: 8080
        - containerPort: 8083
        readinessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 3
          periodSeconds: 30
        volumeMounts:
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
        - mountPath: /app/config/tls
          name: tls-certs
        - mountPath: /var/ssl-cert
          name: ssl-cert
          readOnly: true
      serviceAccountName: argocd-server
      volumes:
      - emptyDir: {}
        name: static-files
      - configMap:
          name: argocd-ssh-known-hosts-cm
        name: ssh-known-hosts
      - configMap:
          name: argocd-tls-certs-cm
        name: tls-certs
      - name: ssl-cert
        secret:
          secretName: tls-secret
4

2 回答 2

0

tls.crtArgo CD 在 Secret 的和tls.key密钥中需要证书和证书密钥argocd-secrethttps ://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-secret.yaml#L11

不需要重新启动 - 更新密钥后应立即使用新证书。

于 2021-01-05T00:08:27.470 回答
0

你应该看看https://argoproj.github.io/argo-cd/operator-manual/ingress/

ArgoCD 有一些不寻常的配置需要。

如果您的负载均衡器正在执行 SSL,您需要以 http(不安全)模式启动 Argo,或者您需要将您的密钥传递到 Kubernetes Ingress。

于 2020-12-23T15:18:11.803 回答