cert-manager管理k8s集群证书

cert-manager 官方文档
cert-manager github地址

部署cert-manager

使用helm安装cert-manager

 kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/00-crds.yaml

创建cert-manager namespace

kubectl create namespace cert-manager

标记cert-Manager命名空间以禁用资源验证

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

添加 Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
更新本地Helm chart repository
helm repo update

使用Helm chart安装cert-manager

helm install 
  --name cert-manager 
  --namespace cert-manager 
  --version v0.9.0 
  jetstack/cert-manager

查看cert-manager部署结果

[root@kubeadm-master cert-manager]# kubectl get pods -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-7f6c7bd796-689l8              1/1     Running   1          178m
cert-manager-cainjector-5cd66c9c45-x5dqj   1/1     Running   2          178m
cert-manager-webhook-7bcfc678f6-zrqkn      1/1     Running   0          178m

创建ClusterIssuer

我们需要先创建一个签发机构，cert-manager 给我们提供了 Issuer 和 ClusterIssuer 这两种用于创建签发机构的自定义资源对象，Issuer 只能用来签发自己所在 namespace 下的证书，ClusterIssuer 可以签发任意 namespace 下的证书，这里以 Issuer 为例

生成签名密钥对

# Generate a CA private key
$ openssl genrsa -out ca.key 2048

# Create a self signed Certificate, valid for 10yrs with the 'signing' option set
$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt

将签名密钥对保存为Secret

kubectl create secret tls ca-key-pair 
   --cert=ca.crt 
   --key=ca.key 
   --namespace=default

创建一个签发机构：

[root@kubeadm-master cert-manager]# cat issuer.yaml 
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: ca-key-pair

[root@kubeadm-master cert-manager]# kubectl apply -f issuer.yaml

创建Certificate

有了签发机构，接下来我们就可以生成免费证书了，cert-manager 给我们提供了 Certificate 这个用于生成证书的自定义资源对象，它必须局限在某一个 namespace 下，证书最终会在这个 namespace 下以 Secret 的资源对象存储，创建一个 Certificate 对象：

[root@kubeadm-master cert-manager]# cat local-nginx.yaml 
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  issuerRef:
    name: ca-issuer
    kind: Issuer
  commonName: ning.com
  organization:
  - CA
  dnsNames:
  - ning.com
  - nginx.ning.com
[root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml 

测试Ingress使用https

创建一个nginx

[root@kubeadm-master cert-manager]# cat nginx.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-nginx
spec:
  replicas: 1
  template:
    metadata:
      labels:
        run: my-nginx
    spec:
      containers:
      - name: my-nginx
        image: nginx
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: my-nginx
  labels:
    app: my-nginx
spec:
  ports:
  - port: 80
    protocol: TCP
    name: http
  selector:
    run: my-nginx
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/issuer: "ca-issuer"
spec:
  rules:
  - host: nginx.ning.com
    http:
      paths:
      - backend:
          serviceName: my-nginx
          servicePort: 80
        path: /
  tls:
  - secretName: nginx-secret
    hosts:
    - nginx.ning.com

[root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml 

最后，我们来打开浏览器使用https访问服务