kubernetes 集群证书管理器处于 crashloopbackoff 状态

kubernetes 集群证书管理器处于 crashloopbackoff 状态

我在树莓派上运行了一个 kubernetes 集群,上面运行着一个简单的服务器。这是我用来学习 kubernetes 的一个小项目。

回到项目后,我意识到它不再响应了。我认为这是因为 https 证书需要更新。但我不知道如何在 pod 未运行时更新证书。

我认为这只是重新应用集群发行者的情况,但如果某些 pod 没有运行/创建,这显然不起作用。

尝试应用 cluser-issuer.yml 给我-

Error from server (InternalError): error when creating "cluster-issuer.yml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.100.140.135:443: connect: connection refused

我在获取 cert-manager pods 时也可以看到这一点-

cert-manager   cert-manager-7fb78674d7-tnjf9              1/1     Running            4 (21h ago)       25h
cert-manager   cert-manager-cainjector-5dfc946d84-7wxrl   0/1     Error              271 (5m51s ago)   25h
cert-manager   cert-manager-webhook-8744b7588-zvmps       0/1     CrashLoopBackOff   270 (107s ago)    25h

kubectl logs cert-manager-cainjector-5dfc946d84-7wxrl -n cert-manager- 的输出

Error: error creating manager: Get "https://10.96.0.1:443/api?timeout=32s": dial tcp 10.96.0.1:443: i/o timeout

服务器部署.yml-

apiVersion: apps/v1
kind: Deployment
metadata:
  name: server-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      component: server
  template:
    metadata:
      labels:
        component: server
    spec:
      containers:
        - name: server
          image: spoonobi/multi-server-arm
          ports:
            - containerPort: 8888

服务器集群-ip-服务.yml-

apiVersion: v1
kind: Service
metadata:
  name: server-cluster-ip-service
spec:
  type: ClusterIP
  selector:
    component: server
  ports:
    - port: 8888
      targetPort: 8888

入口服务.yml-

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    cert-manager.io/cluster-issuer: letsencrypt-prod # tell ingress to use https
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' # redirect from http to https
spec:
  tls:
    - hosts:
        - ecmatrials.com
        - www.ecmatrials.com
      secretName: secret-ecmatrials-com
  rules:
    - host: ecmatrials.com
      http:
        paths:
          - path: /?(.*)
            pathType: Prefix
            backend:
              service:
                name: server-cluster-ip-service
                port:
                  number: 8888
    - host: www.ecmatrials.com
      http:
        paths:
          - path: /?(.*)
            pathType: Prefix
            backend:
              service:
                name: server-cluster-ip-service
                port:
                  number: 8888

cluster-issuer.yml-

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-redacted
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

服务节点端口.yml-

apiVersion: v1
kind: Service
metadata:
  name: server-nodeports
spec:
  type: NodePort
  selector:
    component: server
  ports:
    - name: http
      port: 80
      targetPort: 8888
      nodePort: 30602
    - name: https
      port: 443
      targetPort: 8888
      nodePort: 30824

相关内容