1

在 OpenShift CRC (Code Ready Containers) 环境中,我尝试使用 cert-manager 和 Let's Encrypt 来申请证书,但是证书请求卡住并以“等待”状态结束。

我的ClusterIssuer样子:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: barry-letsencrypt
spec:
  acme:
    email: me@abc.com
    http01: {}
    privateKeySecretRef:
      name: barry-letsencrypt-private-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx
      selector: {}

运行上述 YAML 文件后,ClusterIssuer已经创建成功。

我的证书如下所示:

apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
  namespace: cert-manager-test
spec:
  secretName: example-com-tls
  duration: 24h
  renewBefore: 12h
  commonName: example.com
  dnsNames:
  - example.com
  issuerRef:
    name: barry-letsencrypt
    kind: ClusterIssuer
    #kind: Issuer
    group: cert-manager.io

运行上述 YAML 文件后,我检查我的秘密对象是否已创建,但tls.cert为 0 字节。

# oc -n cert-manager-test describe secret example-com-tls
Name:         example-com-tls
Namespace:    cert-manager-test
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: example-com
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: barry-letsencrypt

Type:  kubernetes.io/tls

Data
====
ca.crt:   0 bytes
tls.crt:  0 bytes
tls.key:  1679 bytes

然后我检查证书状态,它显示:

# oc -n cert-manager-test describe certificate.cert-manager.io example-com
Name:         example-com
Namespace:    cert-manager-test
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1alpha2
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-01-21T21:53:43Z
  Generation:          1
  Resource Version:    11111249
  Self Link:           /apis/cert-manager.io/v1alpha2/namespaces/cert-manager-test/certificates/example-com
  UID:                 7e1d5876-3c98-11ea-84cc-52fdfc072182
Spec:
  Common Name:  example.com
  Dns Names:
    example.com
    www.example.com
  Duration:  24h0m0s
  Issuer Ref:
    Group:       cert-manager.io
    Kind:        ClusterIssuer
    Name:        barry-letsencrypt
  Renew Before:  12h0m0s
  Secret Name:   example-com-tls
Status:
  Conditions:
    Last Transition Time:  2020-01-21T21:53:43Z
    Message:               Waiting for CertificateRequest "example-com-3700695519" to complete
    Reason:                InProgress
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age    From          Message
  ----    ------        ----   ----          -------
  Normal  GeneratedKey  7m41s  cert-manager  Generated a new private key
  Normal  Requested     7m41s  cert-manager  Created new CertificateRequest resource "example-com-3700695519"

显然,证书请求被卡住了。

这里有什么问题?为什么证书请求最终处于等待状态?它是由 Code Ready Containers 引起的(不确定 CRC 是否有访问外部的路由)?

4

1 回答 1

0

等待答案:P ......

我的被​​发现了:)

> get all -n cert-manager

NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-6d5fd89bdf-ck46m              1/1     Running   0          3h22m
pod/cert-manager-cainjector-7d47d59998-vdvjc   1/1     Running   0          3h22m
pod/cert-manager-webhook-6559cc8549-llm8w      1/1     Running   0          3h22m

NAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   10.0.245.56    <none>        9402/TCP   3h23m
service/cert-manager-webhook   ClusterIP   10.0.159.178   <none>        443/TCP    3h22m

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           3h22m
deployment.apps/cert-manager-cainjector   1/1     1            1           3h22m
deployment.apps/cert-manager-webhook      1/1     1            1           3h22m

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-6d5fd89bdf              1         1         1       3h22m
replicaset.apps/cert-manager-cainjector-7d47d59998   1         1         1       3h22m
replicaset.apps/cert-manager-webhook-6559cc8549      1         1         1       3h22m


> kubectl logs -f cert-manager-6d5fd89bdf-ck46m -n cert-manager

I0201 21:48:27.272279       1 controller.go:129] cert-manager/controller/certificates "msg"="syncing item" "key"="kube-system/tls-secret" 
I0201 21:48:27.272351       1 sync.go:57] cert-manager/controller/certificates "msg"="certificate resource not found for key"  "key"="kube-system/tls-secret"
I0201 21:48:27.272492       1 controller.go:135] cert-manager/controller/certificates "msg"="finished processing work item" "key"="kube-system/tls-secret"
于 2020-02-01T20:57:35.530 回答