Kubernetes Nginx Ingress 和 cert-manager 正在等待 HTTP-01 挑战传播：错误状态代码“401”，预期“200”

我在使用 rapberry pi kubernetes 时遇到了问题

问题：

由于在裸机 kubernetes 安装上出现 401 错误代码，因此我需要等待 cert-manager letsencrypt ACME 挑战。

设置

平台：Raspberry Pi 4

操作系统：Ubuntu Server 20.04.3 LTS 64 位

入口：Nginx

负载均衡器：Metallb

网络：Calico

我使用以下方式通过 helm 安装了 metallb 和 nginx：

helm install metallb metallb/metallb --namespace kube-system\
    --set configInline.address-pools[0].name=default\
    --set configInline.address-pools[0].protocol=layer2\
    --set configInline.address-pools[0].addresses[0]=<ip-range>

和

helm install ingress-nginx ingress-nginx/ingress-nginx --namespace kube-system

我的 letsencrypt 看起来像这样：

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: <email redacted>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

我的 nginx ingress 设置如下：

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: "nextcloud" # Same namespace as the deployment
  name: "nextcloud-ingress" # Name of the ingress (see kubectl get ingress -A)
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # Encrypt using the ClusterIssuer deployed while setting up Cert-Manager
    nginx.ingress.kubernetes.io/proxy-body-size:  "125m" # Increase the size of the maximum allowed size of the client request body
spec:
  tls:
  - hosts:
    - "nextcloud.<domain redacted>" # Host to access nextcloud
    secretName: "nextcloud-prod-tls" # Name of the certificate (see kubectl get certificate -A)
  rules:
  - host: "nextcloud.<domain redacted>" # Host to access nextcloud
    http:
      paths:
        - path: /  # We will access NextCloud via the URL https://nextcloud.<domain.com>/
          pathType: Prefix
          backend:
            service: 
              name: "nextcloud-server" # Mapping to the service (see kubectl get services -n nextcloud)
              port: 
                number: 80 # Mapping to the port (see kubectl get services -n nextcloud)
---

调试

当我查看入口控制器日志（不同的命名空间）时，我看到：

Service "nextcloud/cm-acme-http-solver-9tccf" does not have any active Endpoint.

但是当我执行 kubectl get endpoints -A 时，端点似乎存在

我的证书存在如下：

kubectl get certificate -n nextcloud
NAME                 READY   SECRET               AGE
nextcloud-prod-tls   False   nextcloud-prod-tls   3h58m

按照证书管理器推荐的调试步骤，我追踪了问题并遇到了以下挑战：

Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: wrong status code '401', expected '200'
  State:       pending
Events:        <none>

我有点不知所措，我一直在谷歌上搜索，但似乎没有太多相关信息。我猜我把设置搞砸了，但我主要还是按照相关页面上的文档操作。任何指点都将不胜感激 :)。如果您需要任何其他信息，请告诉我，目前这篇文章很长，所以我试图将我认为的问题点包括进去。