Hello,
I am trying cert-manager in k8s, also using nginx-ingress controller with metallb, hope any k8s expert here
Centos version:
CentOS Linux release 7.8.2003 (Core)
Ingress yaml:
[root@sealos01 ingress]# kubectl get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
test testing.hkitblog.com 10.0.10.140 80, 443 53m
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test
spec:
tls:
- secretName: testing-hkitblog-com-tls
hosts:-
testing.hkitblog.com
rules:
-
testing.hkitblog.com
- host: testing.hkitblog.com
http:
paths:- backend:
serviceName: helloworld-v1
servicePort: 443
- backend:
pod and svc yaml:
[root@sealos01 ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
helloworld-v1 LoadBalancer 10.97.91.142 10.0.10.141 443:32280/TCP 53m
kubernetes ClusterIP 10.96.0.1 443/TCP 2d1h
my-release-nginx-ingress LoadBalancer 10.98.35.128 10.0.10.140 80:31159/TCP,443:31789/TCP 2d1h
[root@sealos01 ingress]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-release-nginx-ingress-5c57477464-lgqrz 1/1 Running 7 2d1h
testing.hkitblog.com 1/1 Running 0 53m
[root@sealos01 ingress]# cat helloworld-v1.yaml
apiVersion: v1
kind: Pod
metadata:
name: testing.hkitblog.com
labels:
app: helloworld-v1
spec:
containers:
- name: k8s-demo
image: 105552010/k8s-demo:v1
ports:- name: nodejs-port
containerPort: 3000
- name: nodejs-port
apiVersion: v1
kind: Service
metadata:
name: helloworld-v1
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
loadBalancerIP: 10.0.10.141
ports:
- port: 443
targetPort: 3000
protocol: TCP
selector:
app: helloworld-v1
metallb yaml:
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
auto-assign: true
addresses:
- 10.0.10.140-10.0.10.145
cert is ready:
[root@sealos01 ingress]# kubectl get cert
NAME READY SECRET AGE
testing-hkitblog-com True testing-hkitblog-com-tls 46h
I have edited /etc/hosts 10.0.10.141 > testing.hkitblog.com in a master node.
when curl -v https://testing.hkitblog.com
- About to connect() to testing.hkitblog.com port 443 (#0)
- Trying 10.0.10.141…
- Connected to testing.hkitblog.com (10.0.10.141) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - NSS error -5938 (PR_END_OF_FILE_ERROR)
- Encountered end of file
- Closing connection 0
curl: (35) Encountered end of file
If change to 80 port is no problem, why CApath: none ?
Thanks!