我正在尝试了解 Kubernetes 的工作原理,因此我K3S使用快速入门指南。
然后我使用Helm 指南。
我想为我的集群使用 Let's Encrypt 证书,并使用dns01我的 DNS 提供商 Simply.com 的 webhook 来验证它们。
您可以使用此处的 webhook 来完成此操作:
https://github.com/RunnerM/simply-dns-webhook
目前,我正在测试是否可以使用他们的暂存服务器从 Let's Encrypt 获取证书。
letsencrypt-staging.yaml我制作了包含以下内容的Yaml 文件ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging-key
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
groupName: com.github.runnerm.cert-manager-simply-webhook
solverName: simply-dns-solver
config:
secretName: simply-credentials # notice the name
selector:
dnsZones:
- 'cluster.example.com'
- '*.cluster.example.com'
我的配置文件基本上是从 RunnerM GitHub 页面上的示例逐字复制粘贴的。
为了颁发证书,我创建了一个名为 Yaml 文件,certificate-test.yaml其内容如下:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-certificate
spec:
dnsNames:
- test.cluster.example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: test-certificate-tls
然后我应该能够使用以下命令获取颁发的证书:
kubectl apply -f letsencrypt-staging.yaml
kubectl apply -f certificate-test.yaml
然而我没有获得颁发的证书。
运行时kubectl describe challenge test-certificate-1-1965387138-1295925723我收到以下错误消息:
...
Status:
Presented: false
Processing: true
Reason: secrets "simply-credentials" is forbidden: User "system:serviceaccount:default:my-simply-dns-webhook" cannot get resource "secrets" in API group "" in the namespace "cert-manager"
State: pending
E
...
我知道 Simply DNS webhookmy-simply-dns-webhook正在命名空间中运行default,并且 Simply DNS 凭据存储在cert-manager命名空间中。
那么,如何允许 Simply DNS webhook 访问 cert-manager 命名空间中的资源?
附加信息
运行该命令kubectl get clusterrolebindings将提供以下信息:
my-simply-dns-webhook:secret-access ClusterRole/my-simply-dns-webhook:secret-access 76s
simply-dns-webhook:challenge-management ClusterRole/simply-dns-webhook:challenge-management 76s
my-simply-dns-webhook:domain-solver ClusterRole/my-simply-dns-webhook:domain-solver 76s
my-simply-dns-webhook:flow-control ClusterRole/my-simply-dns-webhook:flow-control 76s
my-simply-dns-webhook:auth-delegator ClusterRole/system:auth-delegator 76s
输出kubectl get clusterrole my-simply-dns-webhook:secret-access结果如下:
Name: my-simply-dns-webhook:secret-access
Labels: app=simply-dns-webhook
app.kubernetes.io/managed-by=Helm
chart=simply-dns-webhook-1.5.4
heritage=Helm
release=my-simply-dns-webhook
Annotations: meta.helm.sh/release-name: my-simply-dns-webhook
meta.helm.sh/release-namespace: default
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
secrets.* [] [] [get]
该命令kubectl describe clusterrolebindings my-simply-dns-webhook:secret-access给出输出:
Name: my-simply-dns-webhook:secret-access
Labels: app=simply-dns-webhook
app.kubernetes.io/managed-by=Helm
chart=simply-dns-webhook-1.5.4
heritage=Helm
release=my-simply-dns-webhook
Annotations: meta.helm.sh/release-name: my-simply-dns-webhook
meta.helm.sh/release-namespace: default
Role:
Kind: ClusterRole
Name: my-simply-dns-webhook:secret-access
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount my-simply-dns-webhook cert-manager
那么我遗漏了什么?
答案1
我认为 simply-dns-webhook helm 图表有缺陷。
simply-dns-webhook它在default命名空间(或传递给 的参数的任何命名空间helm install)中创建一个命名的 ServiceAccount -n,但simply-dns-webhook:secret-accessClusterRoleBinding 指定:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: simply-dns-webhook:secret-access
subjects:
- kind: ServiceAccount
name: simply-dns-webhook
namespace: cert-manager
这永远不会匹配。
如果将所有内容部署到cert-manager命名空间中,它可能会起作用:
helm install -n cert-manager simply-dns-webhook simply-dns-webhook/simply-dns-webhook