Назад | Перейти на главную страницу

cert-manager tls.crt и ca.crt 0 байт

я практикуюсь k8s на cert-manager тема. Я внимательно следил за официальные документы. Все прошло нормально. Пока я не застрял на шаге 7

$ kubectl get certificate
NAME
quickstart-example-tls

Это первое незначительное отличие. Я должен был AGE столбец. В любом случае это не имеет большого значения.

ingress-tls.yaml с моим поддоменом singh.hbot.io

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kuard
  annotations:
    kubernetes.io/ingress.class: "nginx"
    certmanager.k8s.io/issuer: "letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01

spec:
  tls:
  - hosts:
    - singh.hbot.io
    secretName: quickstart-example-tls
  rules:
  - host: singh.hbot.io
    http:
      paths:
      - path: /
        backend:
          serviceName: kuard
          servicePort: 80

Потом проверяю сертификаты. У меня нет аннотаций, подобных утверждениям документа. А также нет tls.crt

$ kubectl describe secret quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  0 bytes
tls.key:  1675 bytes

kubectl version

Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.0", GitCommit:"ddf47ac13c1a9483ea035a79cd7c10005ff21a6d", GitTreeState:"clean", BuildDate:"2018-12-03T21:04:45Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.7-gke.4", GitCommit:"618716cbb236fb7ca9cabd822b5947e298ad09f7", GitTreeState:"clean", BuildDate:"2019-02-05T19:22:29Z", GoVersion:"go1.10.7b4", Compiler:"gc", Platform:"linux/amd64"}

Мастер ГКЭ: 1.12.5-gke.10 узлы: 1.12.5-gke.10

Событие <None>

$ kubectl describe certificate quickstart-example-tls
Name:         quickstart-example-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-03-11T08:04:31Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  kuard
    UID:                   4d0a2899-43d4-11e9-b451-42010a9400f6
  Resource Version:        1567493
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
  UID:                     4d0eb5b5-43d4-11e9-b451-42010a9400f6
Spec:
  Acme:
    Config:
      Domains:
        singh.hbot.io
      Http 01:
        Ingress:
        Ingress Class:  nginx
  Dns Names:
    singh.hbot.io
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt-staging
  Secret Name:  quickstart-example-tls
Status:
  Conditions:
    Last Transition Time:  2019-03-11T08:04:31Z
    Message:               Certificate does not exist
    Reason:                NotFound
    Status:                False
    Type:                  Ready
Events:                    <none>

Обновить:

$ helm list
NAME            REVISION    UPDATED                     STATUS      CHART               APP VERSION NAMESPACE
cert-manager    1           Mon Mar 11 14:42:26 2019    DEPLOYED    cert-manager-v0.6.6 v0.6.2      cert-manager
quickstart      1           Mon Mar 11 14:08:00 2019    DEPLOYED    nginx-ingress-1.3.1 0.22.0      default

$ kubectl get issuers
NAME                  AGE
letsencrypt-prod      1d
letsencrypt-staging   1d

$ kubectl describe issuers letsencrypt-staging
Name:         letsencrypt-staging
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-03-11T07:48:05Z
  Generation:          1
  Resource Version:    1557887
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-staging
  UID:                 0107848e-43d2-11e9-b451-42010a9400f6
Spec:
  Acme:
    Email:  contact@hbot.io
    Http 01:
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt-staging
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-staging-v02.api.letsencrypt.org/acme/acct/8521062
  Conditions:
    Last Transition Time:  2019-03-11T07:48:18Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

$ kubectl describe issuers letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-03-11T07:48:42Z
  Generation:          1
  Resource Version:    1557957
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
  UID:                 17753451-43d2-11e9-b451-42010a9400f6
Spec:
  Acme:
    Email:  contact@hbot.io
    Http 01:
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/53068205
  Conditions:
    Last Transition Time:  2019-03-11T07:48:44Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

$ kubectl describe po cert-manager-6d47b6c444-tl58h -n cert-manager
Name:               cert-manager-6d47b6c444-tl58h
Namespace:          cert-manager
Priority:           0
PriorityClassName:  <none>
Node:               gke-singh-default-pool-a69fa545-819z/10.148.0.49
Start Time:         Mon, 11 Mar 2019 17:45:21 +0700
Labels:             app=cert-manager
                    pod-template-hash=2803627000
                    release=cert-manager
Annotations:        <none>
Status:             Running
IP:                 10.48.1.5
Controlled By:      ReplicaSet/cert-manager-6d47b6c444
Containers:
  cert-manager:
    Container ID:  docker://9487701c391f9001332e4b62f6bb620dbc8c7fe239dc1a12cb7f45706a6cb973
    Image:         quay.io/jetstack/cert-manager-controller:v0.6.2
    Image ID:      docker-pullable://quay.io/jetstack/cert-manager-controller@sha256:dab4def4ccb856dec0f62bdf96d2c3c9bbe17b8d569ef3f51c9a06b28db7a96a
    Port:          <none>
    Host Port:     <none>
    Args:
      --cluster-resource-namespace=$(POD_NAMESPACE)
      --leader-election-namespace=$(POD_NAMESPACE)
    State:          Running
      Started:      Mon, 11 Mar 2019 17:46:16 +0700
    Ready:          True
    Restart Count:  0
    Environment:
      POD_NAMESPACE:  cert-manager (v1:metadata.namespace)
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from cert-manager-token-vjnsn (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  cert-manager-token-vjnsn:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  cert-manager-token-vjnsn
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:          <none>

$ kubectl describe po cert-manager-webhook-84cfc4d76f-6rch9 -n cert-manager
Name:               cert-manager-webhook-84cfc4d76f-6rch9
Namespace:          cert-manager
Priority:           0
PriorityClassName:  <none>
Node:               gke-singh-default-pool-a69fa545-819z/10.148.0.49
Start Time:         Mon, 11 Mar 2019 17:45:21 +0700
Labels:             app=webhook
                    pod-template-hash=4079708329
                    release=cert-manager
Annotations:        <none>
Status:             Running
IP:                 10.48.1.3
Controlled By:      ReplicaSet/cert-manager-webhook-84cfc4d76f
Containers:
  webhook:
    Container ID:  docker://6549dc2d948c38377d4f8b145dc654653ce6d54453cb262c3d3e5c3fc1761e02
    Image:         quay.io/jetstack/cert-manager-webhook:v0.6.2
    Image ID:      docker-pullable://quay.io/jetstack/cert-manager-webhook@sha256:1636a0e7acbf18b9ea30712209517159b660355a3777db506d7609188945a999
    Port:          <none>
    Host Port:     <none>
    Args:
      --v=12
      --secure-port=6443
      --tls-cert-file=/certs/tls.crt
      --tls-private-key-file=/certs/tls.key
      --disable-admission-plugins=NamespaceLifecycle,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Initializers
    State:          Running
      Started:      Mon, 11 Mar 2019 17:45:46 +0700
    Ready:          True
    Restart Count:  0
    Environment:
      POD_NAMESPACE:  cert-manager (v1:metadata.namespace)
    Mounts:
      /certs from certs (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from cert-manager-webhook-token-wkr7f (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  cert-manager-webhook-webhook-tls
    Optional:    false
  cert-manager-webhook-token-wkr7f:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  cert-manager-webhook-token-wkr7f
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:          <none>

Вопрос:

  1. Где я не прав?

  2. Официальный документ устарел?