[kubernetes]-cert-manager管理证书生命周期
导语:大致记录一下学习视频中helm安装Cert-Manager的过程Cert-Manager管理tls证书作用:管理证书,可以生成自签名证书,可以去证书颁发机构生成证书,在证书快要过期的时候续签安装Cert-Managerkubectl create ns cert-manager# 忽略有效性的检查kubectl label certmanager.k8s.io/disable-validat
·
导语:大致记录一下学习视频中helm安装Cert-Manager的过程
Cert-Manager管理tls证书
作用:管理证书,可以生成自签名证书,可以去证书颁发机构生成证书,在证书快要过期的时候续签
安装Cert-Manager
kubectl create ns cert-manager
# 忽略有效性的检查
kubectl label certmanager.k8s.io/disable-validation=true -n cert-manager
# 安装crd https://github.com/jetstack/cert-manager/blob/release-0.9/deploy/manifests/00-crds.yaml
kubectl apply -f 00-crds.yaml
helm install cert-manager -n cert-manager --version v0.9.1 cert-manager
部署阿里dns的webhook 通过它来验证dns
自定义策略
再给用户添加刚刚自己创建的自定义权限
创建secret
kubectl -n cert-manager create secret generic alidns-credentials --from-literal=accessKeySecret='阿里云的accessKeySecret'
创建rbac权限 让webhook可以读取secret
cert-manager-webhook-alidns-secret-reader.yaml
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-webhook-alidns:secret-reader
rules:
- apiGroups:
- ''
resources:
- 'secrets'
resourceNames:
- 'alidns-credentials'
verbs:
- 'get'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-alidns:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-alidns:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-alidns
namespace: cert-manager
kubectl apply -f cert-manager-webhook-alidns-secret-reader.yaml
安装webhook
helm instakk cert-manager-webhook-alidns -n cert-manager cert-manager-webhook-alidns/deploy/webhook-alidns
定义issuer
./config/cert-manager/letsencrypt-clusterissuer-prod.yamlc
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <shidongliang@me.com>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsNames:
- '*.hipstershop.cn'
dns01:
webhook:
config:
accessKeyId: LTAI4FsNjCkUidDwNTZ1xxxxxr
accessKeySecretRef:
key: accessKeySecret
name: alidns-credentials
regionId: "cn-beijing"
ttl: 600
groupName: acme.hipstershop.cn
solverName: alidns
kubectl apply -f ./config/cert-manager/letsencrypt-clusterissuer-prod.yaml
通过certificate申请一个证书./config/cert-manager/certificate.yaml
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard-hipstershop-cn
spec:
secretName: wildcard-hipstershop-cn-tls
renewBefore: 240h
dnsNames:
- '*.hipstershop.cn'
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
kubectl apply -f ./config/cert-manager/certificate.yaml
kubectl get secret
通过ingress 使用tls证书
略
通过ingress直接申请tls证书
echo-nginx-ingress-letsencrypt.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo-nginx-ingress
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod # 调用的issuer
spec:
tls:
- hosts:
- '*.hipstershop.cn'
secretName: letsencrypt-prod
rules:
- hostL echo.hipstershop.cn
http:
path:
- path: /
backend:
serviceName: echo
servicePort: 80
更新ingress应用
kubectl apply -f echo-nginx-ingress-letsencrypt.yaml
kubectl get ingress
kubectl describe ingress echo-nginx-ingress
查看证书生成的order
kubectl get order
kubectl describe order wildcard-hipstershop-cn-xxxxx
查看challenge
# 需要在创建的时候看 创建完成之后会自动删除
kubectl get challenge -w
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
1
0- 0
已为社区贡献84条内容
所有评论(0)