я практикуюсь k8s
на cert-manager
тема. Я внимательно следил за официальные документы. Все прошло нормально. Пока я не застрял на шаге 7
$ kubectl get certificate
NAME
quickstart-example-tls
Это первое незначительное отличие. Я должен был AGE
столбец. В любом случае это не имеет большого значения.
ingress-tls.yaml
с моим поддоменом singh.hbot.io
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kuard
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
spec:
tls:
- hosts:
- singh.hbot.io
secretName: quickstart-example-tls
rules:
- host: singh.hbot.io
http:
paths:
- path: /
backend:
serviceName: kuard
servicePort: 80
Потом проверяю сертификаты. У меня нет аннотаций, подобных утверждениям документа. А также нет tls.crt
$ kubectl describe secret quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations: <none>
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1675 bytes
kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.0", GitCommit:"ddf47ac13c1a9483ea035a79cd7c10005ff21a6d", GitTreeState:"clean", BuildDate:"2018-12-03T21:04:45Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.7-gke.4", GitCommit:"618716cbb236fb7ca9cabd822b5947e298ad09f7", GitTreeState:"clean", BuildDate:"2019-02-05T19:22:29Z", GoVersion:"go1.10.7b4", Compiler:"gc", Platform:"linux/amd64"}
Мастер ГКЭ: 1.12.5-gke.10
узлы: 1.12.5-gke.10
Событие <None>
$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-11T08:04:31Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 4d0a2899-43d4-11e9-b451-42010a9400f6
Resource Version: 1567493
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 4d0eb5b5-43d4-11e9-b451-42010a9400f6
Spec:
Acme:
Config:
Domains:
singh.hbot.io
Http 01:
Ingress:
Ingress Class: nginx
Dns Names:
singh.hbot.io
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-11T08:04:31Z
Message: Certificate does not exist
Reason: NotFound
Status: False
Type: Ready
Events: <none>
Обновить:
$ helm list
NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE
cert-manager 1 Mon Mar 11 14:42:26 2019 DEPLOYED cert-manager-v0.6.6 v0.6.2 cert-manager
quickstart 1 Mon Mar 11 14:08:00 2019 DEPLOYED nginx-ingress-1.3.1 0.22.0 default
$ kubectl get issuers
NAME AGE
letsencrypt-prod 1d
letsencrypt-staging 1d
$ kubectl describe issuers letsencrypt-staging
Name: letsencrypt-staging
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Issuer
Metadata:
Creation Timestamp: 2019-03-11T07:48:05Z
Generation: 1
Resource Version: 1557887
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-staging
UID: 0107848e-43d2-11e9-b451-42010a9400f6
Spec:
Acme:
Email: contact@hbot.io
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt-staging
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/8521062
Conditions:
Last Transition Time: 2019-03-11T07:48:18Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ kubectl describe issuers letsencrypt-prod
Name: letsencrypt-prod
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},...
API Version: certmanager.k8s.io/v1alpha1
Kind: Issuer
Metadata:
Creation Timestamp: 2019-03-11T07:48:42Z
Generation: 1
Resource Version: 1557957
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
UID: 17753451-43d2-11e9-b451-42010a9400f6
Spec:
Acme:
Email: contact@hbot.io
Http 01:
Private Key Secret Ref:
Key:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/53068205
Conditions:
Last Transition Time: 2019-03-11T07:48:44Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ kubectl describe po cert-manager-6d47b6c444-tl58h -n cert-manager
Name: cert-manager-6d47b6c444-tl58h
Namespace: cert-manager
Priority: 0
PriorityClassName: <none>
Node: gke-singh-default-pool-a69fa545-819z/10.148.0.49
Start Time: Mon, 11 Mar 2019 17:45:21 +0700
Labels: app=cert-manager
pod-template-hash=2803627000
release=cert-manager
Annotations: <none>
Status: Running
IP: 10.48.1.5
Controlled By: ReplicaSet/cert-manager-6d47b6c444
Containers:
cert-manager:
Container ID: docker://9487701c391f9001332e4b62f6bb620dbc8c7fe239dc1a12cb7f45706a6cb973
Image: quay.io/jetstack/cert-manager-controller:v0.6.2
Image ID: docker-pullable://quay.io/jetstack/cert-manager-controller@sha256:dab4def4ccb856dec0f62bdf96d2c3c9bbe17b8d569ef3f51c9a06b28db7a96a
Port: <none>
Host Port: <none>
Args:
--cluster-resource-namespace=$(POD_NAMESPACE)
--leader-election-namespace=$(POD_NAMESPACE)
State: Running
Started: Mon, 11 Mar 2019 17:46:16 +0700
Ready: True
Restart Count: 0
Environment:
POD_NAMESPACE: cert-manager (v1:metadata.namespace)
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from cert-manager-token-vjnsn (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
cert-manager-token-vjnsn:
Type: Secret (a volume populated by a Secret)
SecretName: cert-manager-token-vjnsn
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
$ kubectl describe po cert-manager-webhook-84cfc4d76f-6rch9 -n cert-manager
Name: cert-manager-webhook-84cfc4d76f-6rch9
Namespace: cert-manager
Priority: 0
PriorityClassName: <none>
Node: gke-singh-default-pool-a69fa545-819z/10.148.0.49
Start Time: Mon, 11 Mar 2019 17:45:21 +0700
Labels: app=webhook
pod-template-hash=4079708329
release=cert-manager
Annotations: <none>
Status: Running
IP: 10.48.1.3
Controlled By: ReplicaSet/cert-manager-webhook-84cfc4d76f
Containers:
webhook:
Container ID: docker://6549dc2d948c38377d4f8b145dc654653ce6d54453cb262c3d3e5c3fc1761e02
Image: quay.io/jetstack/cert-manager-webhook:v0.6.2
Image ID: docker-pullable://quay.io/jetstack/cert-manager-webhook@sha256:1636a0e7acbf18b9ea30712209517159b660355a3777db506d7609188945a999
Port: <none>
Host Port: <none>
Args:
--v=12
--secure-port=6443
--tls-cert-file=/certs/tls.crt
--tls-private-key-file=/certs/tls.key
--disable-admission-plugins=NamespaceLifecycle,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Initializers
State: Running
Started: Mon, 11 Mar 2019 17:45:46 +0700
Ready: True
Restart Count: 0
Environment:
POD_NAMESPACE: cert-manager (v1:metadata.namespace)
Mounts:
/certs from certs (rw)
/var/run/secrets/kubernetes.io/serviceaccount from cert-manager-webhook-token-wkr7f (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
certs:
Type: Secret (a volume populated by a Secret)
SecretName: cert-manager-webhook-webhook-tls
Optional: false
cert-manager-webhook-token-wkr7f:
Type: Secret (a volume populated by a Secret)
SecretName: cert-manager-webhook-token-wkr7f
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
Вопрос:
Где я не прав?
Официальный документ устарел?