Cert-менеджер Kubernetes не обновляет сертификаты после смены эмитента

Question

Я использую cert-manager 0.5.2 для управления сертификатами Let's Encrypt в нашем кластере Kubernetes.

Я использовал промежуточную среду Let's Encrypt, но теперь перешел на использование ихпроизводственные сертификаты. Проблема в том, что мои приложения не обновляются до новых действительных сертификатов.

Я, должно быть, что-то напортачил при обновлении ресурсов издателя, сертификата и входных ресурсов, но я не могу 'не вижу что.Я также переустановил входной контроллер NGINX и диспетчер сертификатов и заново создал свои приложения, но я все еще получаю старые сертификаты.Что я могу делать дальше?

Описание эмитента кластера letsencrypt:

Name:         letsencrypt
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt","namespace":""},"spec":{"acme":{"e...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Cluster Name:
  Creation Timestamp:  2019-01-04T09:27:49Z
  Generation:          0
  Resource Version:    130088
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/letsencrypt
  UID:                 00f0ea0f-1003-11e9-997f-ssh3b4bcc625
Spec:
  Acme:
    Email:  administrator@domain.com
    Http 01:
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/48899673
  Conditions:
    Last Transition Time:  2019-01-04T09:28:33Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Описание сертификата tls-secret:

Name:         tls-secret
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"tls-secret","namespace":"default"},"spec":{"acme"...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:  2019-01-04T09:28:13Z
  Resource Version:    130060
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tls-secret
  UID:                 0f38w7y4-1003-11e9-997f-e6e9b4bcc625
Spec:
  Acme:
    Config:
      Domains:
        mydomain.com
      Http 01:
        Ingress Class:  nginx
  Dns Names:
    mydomain.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt
  Secret Name:  tls-secret
Events:         <none>

Описание входного контроллера aks-ingress:

Name:             aks-ingress
Namespace:        default
Address:
Default backend:  default-http-backend:80 (<none>)
TLS:
  tls-secret terminates mydomain.com
Rules:
  Host                                                       Path  Backends
  ----                                                       ----  --------
  mydomain.com
                                                             /   myapplication:80 (<none>)
Annotations:
  kubectl.kubernetes.io/last-applied-configuration:   ...
  kubernetes.io/ingress.class:                 nginx
  nginx.ingress.kubernetes.io/rewrite-target:  /
  certmanager.k8s.io/cluster-issuer:           letsencrypt
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  21m   nginx-ingress-controller  Ingress default/aks-ingress
  Normal  CREATE  21m   nginx-ingress-controller  Ingress default/aks-ingress

Журналы для cert-manager после перезапуска сервера:

I0104 09:28:38.378953 1 setup.go:144] Skipping re-verifying ACME account as cached registration details look sufficient.    
I0104 09:28:38.379058 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:38.378953 1 setup.go:144] Skipping re-verifying ACME account as cached registration details look sufficient.    
I0104 09:28:38.379058 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:38.378455 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:38.378455 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:33.440466 1 controller.go:185] certificates controller: Finished processing work item "default/tls-secret"  
I0104 09:28:33.440417 1 sync.go:206] Certificate default/tls-secret scheduled for renewal in 1423 hours 
I0104 09:28:33.440466 1 controller.go:185] certificates controller: Finished processing work item "default/tls-secret"  
I0104 09:28:33.440417 1 sync.go:206] Certificate default/tls-secret scheduled for renewal in 1423 hours 
I0104 09:28:33.439824 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
I0104 09:28:33.439824 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
I0104 09:28:33.377556 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:33.377556 1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"   
I0104 09:28:33.359246 1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2019-01-04 09:28:33.359214315 +0000 UTC m=+79.014291591 
I0104 09:28:33.359178 1 setup.go:181] letsencrypt: verified existing registration with ACME server  
I0104 09:28:33.359178 1 setup.go:181] letsencrypt: verified existing registration with ACME server  
I0104 09:28:33.359246 1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2019-01-04 09:28:33.359214315 +0000 UTC m=+79.014291591 
I0104 09:28:32.427832 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:32.427978 1 controller.go:182] ingress-shim controller: Finished processing work item "default/aks-ingress" 
I0104 09:28:32.427832 1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'    
I0104 09:28:32.427832 1 controller.go:168] ingress-shim controller: syncing item 'default/aks-ingress'  
I0104 09:28:32.428133 1 logger.go:88] Calling GetAccount    
I0104 09:28:32.427936 1 sync.go:140] Certificate "tls-secret" for ingress "aks-ingress" already exists  
I0104 09:28:32.427965 1 sync.go:143] Certificate "tls-secret" for ingress "aks-ingress" is up to date   
I0104 09:28:32.427978 1 controller.go:182] ingress-shim controller: Finished processing work item "default/aks-ingress" 
I0104 09:28:32.428133 1 logger.go:88] Calling GetAccount    
I0104 09:28:32.427936 1 sync.go:140] Certificate "tls-secret" for ingress "aks-ingress" already exists  
I0104 09:28:32.427832 1 controller.go:168] ingress-shim controller: syncing item 'default/aks-ingress'  
I0104 09:28:32.427965 1 sync.go:143] Certificate "tls-secret" for ingress "aks-ingress" is up to date   
I0104 09:28:29.439299 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
E0104 09:28:29.439586 1 controller.go:180] certificates controller: Re-queuing item "default/tls-secret" due to error processing: Issuer letsencrypt not ready  
I0104 09:28:29.439404 1 sync.go:120] Issuer letsencrypt not ready   
E0104 09:28:29.439586 1 controller.go:180] certificates controller: Re-queuing item "default/tls-secret" due to error processing: Issuer letsencrypt not ready  
I0104 09:28:29.439299 1 controller.go:171] certificates controller: syncing item 'default/tls-secret'   
I0104 09:28:29.439404 1 sync.go:120] Issuer letsencrypt not ready   
I0104 09:28:27.404656 1 controller.go:68] Starting certificates controller  
I0104 09:28:27.404606 1 controller.go:68] Starting issuers controller   
I0104 09:28:27.404325 1 controller.go:68] Starting ingress-shim controller  
I0104 09:28:27.404606 1 controller.go:68] Starting issuers controller   
I0104 09:28:27.404325 1 controller.go:68] Starting ingress-shim controller  
I0104 09:28:27.404269 1 controller.go:68] Starting clusterissuers controller    
I0104 09:28:27.404656 1 controller.go:68] Starting certificates controller  
I0104 09:28:27.404269 1 controller.go:68] Starting clusterissuers controller    
I0104 09:28:27.402806 1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller  
I0104 09:28:27.402806 1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller  
I0104 09:27:14.359634 1 server.go:84] Listening on http://0.0.0.0:9402  
I0104 09:27:14.357610 1 controller.go:126] Using the following nameservers for DNS01 checks: [10.0.0.10:53] 
I0104 09:27:14.357610 1 controller.go:126] Using the following nameservers for DNS01 checks: [10.0.0.10:53] 
I0104 09:27:14.358408 1 leaderelection.go:175] attempting to acquire leader lease kube-system/cert-manager-controller...    
I0104 09:27:14.359634 1 server.go:84] Listening on http://0.0.0.0:9402  
I0104 09:27:14.356692 1 start.go:79] starting cert-manager v0.5.2 (revision 9e8c3ad899c5aafaa360ca947eac7f5ba6301035)   
I0104 09:27:14.358408 1 leaderelection.go:175] attempting to acquire leader lease kube-system/cert-manager-controller...    
I0104 09:27:14.356692 1 start.go:79] starting cert-manager v0.5.2 (revision 9e8c3ad899c5aafaa360ca947eac7f5ba6301035)

Ресурс сертификата:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: tls-secret
spec:
  secretName: tls-secret
  dnsNames:
  - mydomain.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - mydomain.com
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer

Answer 1

в этом случае проблема исчезла после воссоздания секрета и ресурса сертификата cert-manager.

обычно то, что вы хотите проверить, аннотации на вашем входном ресурсе (certmanager.k8s.io/cluster-issuer: letsencrypt), ресурс сертификата cert-manager, секретный сертификат ssl в k8s и во входном ресурсе