Open ajistyle opened 2 years ago
大佬们,帮忙瞅一眼~
@ajistyle If you create a TLS type Kubernetes Secret object, the perspective keys are "tls.crt" and "tls.key", so you should use the correct keys in settings etcd.auth.tls.certFilename
and etcd.auth.tls.certKeyFilename
.
What's more, you should also pass the CA certificate to APISIX, or it might reject the TLS handshaking since the certificate is not trusted (unless it's signed by well-known CA).
`
cp etcd.pem etcd.crt
cp etcd-key.pem etcd-key.key
kubectl create secret tls etcd-ssl-s -n ops \
--cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
--key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
--dry-run -o yaml > etcd-ssl-s.yaml
[root@node201 apisix]# kubectl describe secret/etcd-ssl-s -n ops
Name: etcd-ssl-s
Namespace: ops
Labels: <none>
Annotations:
Type: kubernetes.io/tls
Data
====
tls.crt: 1403 bytes
tls.key: 1675 bytes
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=etcd.crt \
--set etcd.auth.tls.certKeyFilename=etcd-key.key**
[root@node201 apisix]# kubectl -n ops logs pod/apisix-f9fbcd99c-lzvfq
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2
**helm uninstall apisix --namespace ops**
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=tls.crt \
--set etcd.auth.tls.certKeyFilename=tls.key**
[root@node201 apisix]# kubectl logs pod/apisix-f44c8b9d-kbtqv -n ops
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=2
[root@node201 apisix]#
`
kubectl create secret tls etcd-ssl-s -n ops \ --cert=/opt/zhuji/helm/apisix/cert/etcd.crt \ --key=/opt/zhuji/helm/apisix/cert/etcd-key.key \ --dry-run -o yaml > etcd-ssl-s.yaml The key names of tls type secret will be "tls.crt", "tls.key", but you configured
etcd.crt
andetcd-key.key
, so the mount won't succeed.
遇到一样的问题,证书认证失败,请问解决了吗?
1.外部etcd https访问方式 ETCDCTL_API=3 etcdctl \ --endpoints=http://192.168.2.202:2379 \ --cacert=/etc/kubernetes/ca/ca.pem \ --cert=/etc/kubernetes/ca/etcd/etcd.pem \ --key=/etc/kubernetes/ca/etcd/etcd-key.pem \ endpoint health
创建 secret kubectl create secret tls etcd-ssl-s -n ops \ --cert=/etc/kubernetes/ca/etcd/etcd.pem \ --key=/etc/kubernetes/ca/etcd/etcd-key.pem \ --dry-run -o yaml > etcd-ssl-s.yaml
helm安装apisix helm install apisix apisix-072/ --namespace ops \ --set etcd.enabled=false \ --set etcd.host={https://192.168.2.202:2379} \ --set etcd.auth.tls.enabled=true \ --set etcd.auth.tls.existingSecret=etcd-ssl-s \ --set etcd.auth.tls.certFilename=etcd.pem \ --set etcd.auth.tls.certKeyFilename=etcd-key.pem
报错: usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk. Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1 request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib) Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2