问题
当通配符SSL证书,被不同命名空间的 Ingress 使用时,关于 namespace 私有问题如何解决?
解决方案
Referring to TLS secret from other namespace (i.e. not the namespace in which ingress is created) https://github.com/kubernetes/ingress-nginx/issues/2170
配置方案
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
实施步骤
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
- --default-ssl-certificate=$(POD_NAMESPACE)/foo-tls
securityContext:
...
如果我们在 ingress-nginx 有 foo-tls 密钥配置,添加一行 - --default-ssl-certificate=$(POD_NAMESPACE)/foo-tls
kubectl apply -f ingress-controller.yaml 生效查看
网友评论