使用cert-manager istio ingress和LetsEncrypt在kubernetes中配置SSL证书

作者: 敢嫁就敢娶
发布时间: 2024-04-12 04:18:51 (3月前)
转自：

3 条回复

0#
回复此人
谦成 | 2019-08-31 10-32

<div class =“post-text”itemprop =“text”> <P> Istio ingress已被弃用，您可以将Ingress Gateway与DNS挑战一起使用。 </p> <P> 定义通用公共入口网关： </p> <pre> <code> apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: public-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" tls: httpsRedirect: true - port: number: 443 name: https protocol: HTTPS hosts: - "*" tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt </code> </pre> <P> 使用cert-manager支持的DNS提供程序之一创建颁发者。以下是GCP CloudDNS的配置： </p> <pre> <code> apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: letsencrypt-prod namespace: istio-system spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: email@example.com privateKeySecretRef: name: letsencrypt-prod dns01: providers: - name: cloud-dns clouddns: serviceAccountSecretRef: name: cert-manager-credentials key: gcp-dns-admin.json project: my-gcp-project </code> </pre> <P> 使用以下命令创建通配符证书： </p> <pre> <code> apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: istio-gateway namespace: istio-system spec: secretname: istio-ingressgateway-certs issuerRef: name: letsencrypt-prod commonName: "*.example.com" acme: config: - dns01: provider: cloud-dns domains: - "*.example.com" - "example.com" </code> </pre> <P> 颁发证书需要几分钟时间才能颁发证书： </p> <pre> <code> kubectl -n istio-system describe certificate istio-gateway Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CertIssued 1m52s cert-manager Certificate issued successfully </code> </pre> <P> 您可以在此处找到有关在GKE上使用Let的加密设置Istio ingress的分步指南 <a href="https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup" rel="nofollow noreferrer"> https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup </A> </p> </DIV>

编辑
1#
回复此人
别烦我 | 2019-08-31 10-32

<div class =“post-text”itemprop =“text”> <P> 解决方案是将DNS移至azure并使用dns验证生成证书。我还使用了istio-1.1.0-rc.3并按以下方式配置了网关： </p> <P> </p> <div class =“snippet”data-lang =“js”data-hide =“false”data-console =“true”data-babel =“false”> <div class =“snippet-code”> <pre class="snippet-code-html lang-html prettyprint-override"> <code> apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - hosts: - 'mydomain.com' port: name: http-bookinfo number: 80 protocol: HTTP tls: httpsRedirect: true - hosts: - 'mydomain.com' port: name: https-bookinfo number: 443 protocol: HTTPS tls: mode: SIMPLE serverCertificate: "use sds" #random string, because serverCertificate and #privateKey are required for tls.mode=SIMPLE privateKey: "use sds" credentialName: "istio-bookinfo-certs-staging" #this must match the secret name #from the certificate </code> </pre> </DIV> </DIV> 为了在入口网关上启用SDS： <P> </p> <P> </p> <div class =“snippet”data-lang =“js”data-hide =“false”data-console =“true”data-babel =“false”> <div class =“snippet-code”> <pre class="snippet-code-html lang-html prettyprint-override"> <code> helm template install/kubernetes/helm/istio/ --name istio ` --namespace istio-system -x charts/gateways/templates/deployment.yaml ` --set gateways.istio-egressgateway.enabled=false ` --set gateways.istio-ingressgateway.sds.enabled=true > ` $HOME/istio-ingressgateway.yaml kubectl apply -f $HOME/istio-ingressgateway.yaml </code> </pre> </DIV> </DIV> <P> </p> </DIV>

编辑

登录后才能参与评论