Я развертываю drone.io на gke k8s с помощью helm. Он отлично работает, если у меня отключен LetsEncrypt. Но мне очень нужна поддержка https.
Вот моя услуга:
apiVersion: v1
kind: Service
metadata:
name: {{ template "drone_ci.fullname" . }}-external
labels:
name: server
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: LoadBalancer
loadBalancerIP: {{ .Values.droneLoadBalancerIp}}
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8000
- name: https
protocol: TCP
port: 443
targetPort: 443
selector:
name: server
У меня есть еще одна служба для порта 9000, так как она требуется только агенту дрона.
Мой шаблон развертывания дрон-сервера выглядит так:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "drone_ci_server.fullname" . }}
labels:
app: {{ template "drone_ci.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: 1
template:
metadata:
labels:
name: server
app: {{ template "drone_ci.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: server
image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: "DRONE_HOST"
value: {{ .Values.droneHost }}
- name: "DRONE_OPEN"
value: "true"
- name: "DRONE_GITLAB"
value: "true"
- name: DRONE_GITLAB_URL
value: {{ .Values.droneGitlabUrl }}
- name: DRONE_ADMIN
value: {{ .Values.droneAdmin }}
- name: DRONE_GITLAB_CLIENT
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_CLIENT
- name: DRONE_GITLAB_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_GITLAB_SECRET
- name: DRONE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "drone_ci.fullname" . }}
key: DRONE_SECRET
- name: DRONE_LETS_ENCRYPT
value: "true"
volumeMounts:
- mountPath: /var/lib/drone
name: drone-lib-pv-storage
volumes:
- name: drone-lib-pv-storage
persistentVolumeClaim:
claimName: {{ template "drone_ci.fullname" . }}
Когда LetEncrypt имеет значение false, мой сайт работает, и он отлично подключается к моему экземпляру gitlab по правильному URL-адресу. Когда letEncrypt истинна, тогда:
Переход к моему дрону в Chrome дает мне сообщение «Этот сайт не может обеспечить безопасное соединение». ssllab't test сообщает мне:
No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.
Глядя на журналы модулей, каждый раз, когда я пытаюсь получить доступ к дрону через Chrome, я получаю:
http: TLS handshake error from x.x.x.x:53938: acme/autocert: no supported challenge type found
http: TLS handshake error from y.y.y.y:53936: acme/autocert: missing certificate
Мой образ сервера дрона:
image:
repository: drone/drone
tag: 0.8
pullPolicy: Always
Что я упускаю или делаю не так?