我正在用helm安装gitlab,我已经用以下命令在kubernetes中创建了证书。
然而,当我运行helm安装,并在浏览器中输入地址(ip-address.nip.io(时,我仍然会得到";您的连接不是私有的";消息我已将证书安装到受信任的根证书颁发机构。
当我从浏览器中检查证书详细信息时,我发现它仍然显示使用者可选名称->DNS名称=入口.local
我无法从浏览器中获取我的端点ip-address.nip.io,这就是我的目标。
K8s证书
cat <<EOF | cfssl genkey - | cfssljson -bare server
{
"hosts": [
"<ip-address>.nip.io",
"registry.<ip-address>.nip.io",
"gitlab.<ip-address>.nip.io",
"minio.<ip-address>.nip.io"
],
"CN": "<ip-address>.nip.io",
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: <ip-address>.nip.io
spec:
request: $(cat server.csr | base64 | tr -d 'n')
usages:
- digital signature
- key encipherment
- server auth
EOF
kubectl certificate approve <ip-address>.nip.io
kubectl get csr <ip-address>.nip.io -o jsonpath='{.status.certificate}' | base64 --decode > server.crt
kubectl create secret tls <secret-name> --key server-key.pem --cert server.crt
检查入口主机配置和机密是否正确设置
spec:
tls:
- secretName: cert-secret
hosts:
- app.dev.example.com <---- this entry should match below
- secretName: dev-wildcard-tls-cert
hosts:
- "*.app.example.com" <---- this entry should match below
rules:
- host: app.dev.example.com <---- this entry should match
http:
paths:
- path: /
backend:
serviceName: service-2
servicePort: 80
- host: "*.app.example.com" <---- this entry should match
http:
paths:
- path: /
backend:
serviceName: service-1
servicePort: 80