提问人:toddmacintyre 提问时间:11/9/2023 更新时间:11/10/2023 访问量:52
将trusted_root_certificate附加到 terraform azurerm 应用程序网关时出错
Error attaching trusted_root_certificate to terraform azurerm application gateway
问:
我希望在我的 k8s 集群中有一个 Ingress 指向我的 k8s 集群上的服务和 pod,它将提供由不知名的 CA 签名的 tls 证书。为此,我正在尝试向已有的 terraform 资源添加一个trusted_root_certificate块。azurerm_application_gateway
但是,我收到以下错误
Error: waiting for update of Application Gateway: (Name "@@@" / Resource Group "@@@"): Code="ApplicationGatewayKeyVaultSecretException" Message="Problem occured while accessing and validating KeyVault Secrets associated with Application Gateway '/subscriptions/@@@/resourceGroups/@@@/providers/Microsoft.Network/applicationGateways/@@@'. See details below:" Details=[{"code":"ApplicationGatewayTrustedRootCertificateInvalidData","message":"Data for certificate /subscriptions/@@@/resourceGroups/@@@/providers/Microsoft.Network/applicationGateways/@@@/trustedRootCertificates/@@@ is invalid."}]
我尝试在 PEM(带有证书链的私钥)和 PFX(使用 openssl 手动将 PEM 转换为 PFX)中使用引用的密钥保管库证书。
下面是为简洁起见而省略的 terraform。
locals {
ca_name = "myca"
}
data "azurerm_key_vault_certificate" "ca" {
name = local.ca_name
key_vault_id = data.azurerm_key_vault.myvault.id
}
resource "azurerm_application_gateway" "http_ingress" {
sku {
name = "WAF_v2"
}
backend_http_settings {
name = "https"
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
pick_host_name_from_backend_address = true
trusted_root_certificate_names = ["${local.ca_name}"]
}
trusted_root_certificate {
name = local.ca_name
key_vault_secret_id = data.azurerm_key_vault_certificate.ca.versionless_secret_id
}
}
AzureRM 提供程序
...
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.78.0"
}
在 Azure 门户中,为应用程序网关显示以下错误:In the Azure Portal, the following error is displayed for the application gateway:
Last configuration update operation on this Application Gateway failed. This will not impact the functioning of the Application Gateway and it will continue to serve your application traffic. If you intend to change the configuration of the Application Gateway, please try doing the configuration update again.
但是,另一个有趣的部分是,即使 terraform 应用失败,受信任的根证书也会添加到应用程序网关和后端设置中。
terraform -v
Terraform v1.4.5
on darwin_arm64
有什么想法吗?
答:
0赞
Venkat V
11/10/2023
#1
Error: waiting for update of Application Gateway: (Name "@@@" / Resource Group "@@@"): Code="ApplicationGatewayKeyVaultSecretException" Message="Problem occured while accessing and validating KeyVault Secrets associated with Application Gateway '/subscriptions/@@@/resourceGroups/@@@/providers/Microsoft.Network/applicationGateways/@@@'. See details below:" Details=[{"code":"ApplicationGatewayTrustedRootCertificateInvalidData","message":"Data for certificate /subscriptions/@@@/resourceGroups/@@@/providers/Microsoft.Network/applicationGateways/@@@/trustedRootCertificates/@@@ is invalid."}]
上述错误表示证书的数据无效。
该属性应指向块中的密钥保管库机密,而不是证书。使用检索证书的数据源可能会导致问题。key_vault_secret_idtrusted_root_certificateversionless_secret_idazurerm_key_vault_certificate
我使用下面的代码来创建模块Application Gatewaytrusted_root_certificate
provider "azurerm" {
features {}
}
data "azurerm_resource_group" "example" {
name = "Venkat"
}
data "azurerm_key_vault" "example" {
name = "venkatkeyvaulttest"
resource_group_name = "Venkat"
}
data "azurerm_key_vault_certificate" "ca" {
name = "sasmplecertificate"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_secret" "ca_secret" {
name = "venkat"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_user_assigned_identity" "example" {
name = "venkat"
resource_group_name = "Venkat"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
address_space = ["10.254.0.0/16"]
}
resource "azurerm_subnet" "frontend" {
name = "frontend"
resource_group_name = data.azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.254.0.0/24"]
}
resource "azurerm_public_ip" "example" {
name = "example-pip"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
allocation_method = "Static"
sku = "Standard"
}
locals {
backend_address_pool_name = "${azurerm_virtual_network.example.name}-beap"
frontend_port_name = "${azurerm_virtual_network.example.name}-feport"
frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-feip"
http_setting_name = "${azurerm_virtual_network.example.name}-be-htst"
listener_name = "${azurerm_virtual_network.example.name}-httplstn"
request_routing_rule_name = "${azurerm_virtual_network.example.name}-rqrt"
redirect_configuration_name = "${azurerm_virtual_network.example.name}-rdrcfg"
}
resource "azurerm_application_gateway" "network" {
name = "venkat-appgateway-demo"
resource_group_name = data.azurerm_resource_group.example.name
location = "eastus"
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.frontend.id
}
frontend_port {
name = local.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.example.id
}
backend_address_pool {
name = local.backend_address_pool_name
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
path = "/path1/"
port = 80
protocol = "Http"
request_timeout = 60
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Http"
}
request_routing_rule {
name = local.request_routing_rule_name
priority = 9
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
identity {
type = "UserAssigned"
identity_ids = [data.azurerm_user_assigned_identity.example.id]
}
trusted_root_certificate {
name = data.azurerm_key_vault_certificate.ca.name
key_vault_secret_id = data.azurerm_key_vault_certificate.ca.versionless_secret_id
}
}
执行时显示并可访问。Keyvault CertificateTerraform apply
请参阅 Terraform 中的应用程序网关 SSL 配置文件和应用程序网关模块
评论
0赞
toddmacintyre
11/11/2023
感谢您的回复。我也尝试使用密钥而不是证书,但我想知道我是否可能以不正确的格式上传。''' -----开始证书----- ... -----结束证书----- -----开始证书----- ... -----结束证书----- -----开始证书----- ... -----结束证书----- '''
0赞
toddmacintyre
11/11/2023
然后,我正在做:az keyvault secret set --name my-private-ca --vault-name my-key-vault --subscription 12345 --file ~/path-to-cer.cer --encoding base64 az network application-gateway root-cert create --keyvault-secret $VERSIONLESS_SECRET_ID --name my-private-ca --gateway-name my-gateway --resource-group my-rg --subscription 12345
0赞
toddmacintyre
11/11/2023
即使使用 az cli,我也看到无效数据错误。您是否能够发现上述任何可能不正确的地方?再次感谢。
0赞
Venkat V
11/11/2023
请检查SSL配置文件:learn.microsoft.com/en-us/azure/application-gateway/...
评论