search

apache / apisix-helm-chart

Apache APISIX Helm Chart
https://apisix.apache.org/
Apache License 2.0
231 stars 208 forks source link

helm install apisix 连接外部etcd https方式失败 #173

Open ajistyle opened 2 years ago

ajistyle commented 2 years ago

1.外部etcd https访问方式 ETCDCTL_API=3 etcdctl \ --endpoints=http://192.168.2.202:2379 \ --cacert=/etc/kubernetes/ca/ca.pem \ --cert=/etc/kubernetes/ca/etcd/etcd.pem \ --key=/etc/kubernetes/ca/etcd/etcd-key.pem \ endpoint health

  1. 创建 secret kubectl create secret tls etcd-ssl-s -n ops \ --cert=/etc/kubernetes/ca/etcd/etcd.pem \ --key=/etc/kubernetes/ca/etcd/etcd-key.pem \ --dry-run -o yaml > etcd-ssl-s.yaml

  2. helm安装apisix helm install apisix apisix-072/ --namespace ops \ --set etcd.enabled=false \ --set etcd.host={https://192.168.2.202:2379} \ --set etcd.auth.tls.enabled=true \ --set etcd.auth.tls.existingSecret=etcd-ssl-s \ --set etcd.auth.tls.certFilename=etcd.pem \ --set etcd.auth.tls.certKeyFilename=etcd-key.pem

报错: usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init

WARNING: using fixed Admin API token has security risk. Please modify "admin_key" in conf/config.yaml .

/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1 request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib) Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2

ajistyle commented 2 years ago

大佬们,帮忙瞅一眼~

tokers commented 2 years ago

@ajistyle If you create a TLS type Kubernetes Secret object, the perspective keys are "tls.crt" and "tls.key", so you should use the correct keys in settings etcd.auth.tls.certFilename and etcd.auth.tls.certKeyFilename.

What's more, you should also pass the CA certificate to APISIX, or it might reject the TLS handshaking since the certificate is not trusted (unless it's signed by well-known CA).

ajistyle commented 2 years ago

`

cp etcd.pem etcd.crt
cp etcd-key.pem etcd-key.key

kubectl create secret tls etcd-ssl-s -n ops \
    --cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
    --key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
    --dry-run -o yaml > etcd-ssl-s.yaml

[root@node201 apisix]# kubectl describe secret/etcd-ssl-s -n ops
Name:         etcd-ssl-s
Namespace:    ops
Labels:       <none>
Annotations:
Type:         kubernetes.io/tls

Data
====
tls.crt:  1403 bytes
tls.key:  1675 bytes
helm install apisix apisix-072/ --namespace ops \
    --set etcd.enabled=false \
    --set etcd.host={https://192.168.2.202:2379} \
    --set etcd.auth.tls.enabled=true \
    --set etcd.auth.tls.existingSecret=etcd-ssl-s \
    **--set etcd.auth.tls.certFilename=etcd.crt \
    --set etcd.auth.tls.certKeyFilename=etcd-key.key**

[root@node201 apisix]# kubectl -n ops logs pod/apisix-f9fbcd99c-lzvfq
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init

WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .

/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2

**helm uninstall apisix --namespace ops**


helm install apisix apisix-072/ --namespace ops \
    --set etcd.enabled=false \
    --set etcd.host={https://192.168.2.202:2379} \
    --set etcd.auth.tls.enabled=true \
    --set etcd.auth.tls.existingSecret=etcd-ssl-s \
    **--set etcd.auth.tls.certFilename=tls.crt \
    --set etcd.auth.tls.certKeyFilename=tls.key**

[root@node201 apisix]# kubectl logs pod/apisix-f44c8b9d-kbtqv -n ops
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init

WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .

/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=2
[root@node201 apisix]#
`
tokers commented 2 years ago

kubectl create secret tls etcd-ssl-s -n ops \ --cert=/opt/zhuji/helm/apisix/cert/etcd.crt \ --key=/opt/zhuji/helm/apisix/cert/etcd-key.key \ --dry-run -o yaml > etcd-ssl-s.yaml The key names of tls type secret will be "tls.crt", "tls.key", but you configured etcd.crt and etcd-key.key, so the mount won't succeed.

yangfanLu commented 1 year ago

遇到一样的问题,证书认证失败,请问解决了吗?