SoHuDrgon commented on issue #785:
URL:
https://github.com/apache/apisix-helm-chart/issues/785#issuecomment-2421141980
我使用这个方式创建secret:
```
kubectl create secret tls etcd-tls --key etcd-client-key.pem --cert
etcd-client.pem -n apisix
```
values.yaml配置如下:
```
# -- external etcd configuration. If etcd.enabled is false, these
configuration will be used.
externalEtcd:
# -- if etcd.enabled is false, use external etcd, support multiple
address, if your etcd cluster enables TLS, please use https scheme, e.g.
https://127.0.0.1:2379.
host:
# host or ip e.g. http://172.20.128.89:2379
- https://172.16.20.12:2379
# -- if etcd.enabled is false, user for external etcd. Set empty to
disable authentication
user: root
# -- if etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
# -- if etcd.enabled is false and externalEtcd.existingSecret is not
empty, the password should store in the corresponding secret
# -- if etcd.enabled is false and externalEtcd.existingSecret is empty,
externalEtcd.password is the passsword for external etcd.
password: ""
# -- if externalEtcd.existingSecret is the name of secret containing the
external etcd password
existingSecret: "apisix-etcd-secret"
# -- externalEtcd.secretPasswordKey Key inside the secret containing the
external etcd password
secretPasswordKey: "etcd-root-password"
# -- etcd configuration
# use the FQDN address or the IP of the etcd
etcd:
# -- install etcd(v3) by default, set false if do not want to install
etcd(v3) together
enabled: false
# -- apisix configurations prefix
prefix: "/apisix"
# -- Set the timeout value in seconds for subsequent socket operations
from apisix to etcd cluster
timeout: 30
# -- if etcd.enabled is true, set more values of bitnami/etcd helm chart
auth:
rbac:
# -- No authentication by default. Switch to enable RBAC authentication
create: true
# -- root password for etcd. Requires etcd.auth.rbac.create to be true.
rootPassword: "xxxxxx"
tls:
# -- enable etcd client certificate
enabled: true
# -- name of the secret contains etcd client cert
existingSecret: "etcd-tls"
# -- etcd client cert filename using in etcd.auth.tls.existingSecret
certFilename: "tls.crt"
# -- etcd client cert key filename using in
etcd.auth.tls.existingSecret
certKeyFilename: "tls.key"
# -- whether to verify the etcd endpoint certificate when setup a TLS
connection to etcd
verify: true
# -- specify the TLS Server Name Indication extension, the ETCD
endpoint hostname will be used when this setting is unset.
sni: ""
```
安装apisix后:
```
# kubectl -n apisix logs apisix-c5967d8cd-n8h8h
/usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua init
/usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
request etcd endpoint 'https://172.16.20.12:2379/version' error, certificate
verify failed
all etcd nodes are unavailable
Warning! Request etcd endpoint 'https://172.16.20.12:2379/version' error,
certificate verify failed, retry time=1
Warning! Request etcd endpoint 'https://172.16.20.12:2379/version' error,
certificate verify failed, retry time=2
```
还是报错
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
