秘密"docker-registry-tls-certificate"中的现有私钥具有不匹配的字段：[spec.keySize]

在Kubernetes上安装docker注册表时遇到问题。尽管我已经多次创建和删除TLS证书，但我收到通知，您的证书已过期，不适用于此规范：

Events:
Type     Reason        Age    From          Message
----     ------        ----   ----          -------
Normal   Issuing       2m40s  cert-manager  Existing private key is not up to date for spec: [spec.keySize]
Warning  DecodeFailed  2m40s  cert-manager  Existing private key in Secret "docker-registry-tls-certificate" does not match requirements on Certificate resource, mismatching fields: [spec.keySize]

此外，当我检查我们的证书时，我发现我们的TLS证书还没有准备好：

[root@kube-master-0 dockerRegistry]# kubectl get certs
NAME                              READY   SECRET                            AGE
docker-registry-tls               True    docker-registry-tls-certificate   6m53s
docker-registry-tls-certificate   False   docker-registry-tls-certificate   7m14s

我们的证书yaml文件：

# 01 Staging Environment over SelfSignedCert witthout a Public DNS
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: demo-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: docker-registry-tls
spec:
# Secret names are always required.
secretName: docker-registry-tls-certificate
duration: 2160h # 90d
renewBefore: 360h # 15d
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: registry.example.com
isCA: false
keySize: 4096
keyAlgorithm: rsa
keyEncoding: pkcs1
usages:
- server auth
- client auth
# At least one of a DNS Name, URI, or IP address is required.
dnsNames:
- registry.example.com
- example.com
ipAddresses:
- 192.168.50.101
- 192.168.50.102
# Issuer references are always required.
issuerRef:
name: demo-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
# This is optional since cert-manager will default to this value however
# if you are using an external issuer, change this to that issuer group.
group: cert-manager.io

这个问题的根本原因是什么？我该如何解决这个问题？

这是由于docker注册表tls证书中已经放置了tls证书/密钥，该证书的密钥大小与certificate spec.keySize.的密钥大小不同

这似乎是证书管理器行为的变化，以前即使密钥大小不同，它也会用新颁发的证书覆盖它，但现在如果密钥大小不同则会阻止更新Secret。

例如，这可能是一个使用docker注册表部署的伪自签名证书，用于启动和运行资源，证书管理器证书正在替换该证书。

要修复此问题，您可以将docker-registry-tls-certificateSecret的tls.crt/key替换为与证书资源请求的密钥长度相同的伪密钥，或者在不需要时将其完全删除。

相关内容

最新更新

热门标签：