• cert-manager管理k8s集群证书


    cert-manager 官方文档
    cert-manager github地址

    部署cert-manager

    使用helm安装cert-manager

     kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/00-crds.yaml
    

    创建cert-manager namespace

    kubectl create namespace cert-manager

    标记cert-Manager命名空间以禁用资源验证

    kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
    
    添加 Jetstack Helm repository
    helm repo add jetstack https://charts.jetstack.io
    更新本地Helm chart repository
    helm repo update
    

    使用Helm chart安装cert-manager

    helm install 
      --name cert-manager 
      --namespace cert-manager 
      --version v0.9.0 
      jetstack/cert-manager
    

    查看cert-manager部署结果

    [root@kubeadm-master cert-manager]# kubectl get pods -n cert-manager
    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-7f6c7bd796-689l8              1/1     Running   1          178m
    cert-manager-cainjector-5cd66c9c45-x5dqj   1/1     Running   2          178m
    cert-manager-webhook-7bcfc678f6-zrqkn      1/1     Running   0          178m
    

    创建ClusterIssuer

    我们需要先创建一个签发机构,cert-manager 给我们提供了 Issuer 和 ClusterIssuer 这两种用于创建签发机构的自定义资源对象,Issuer 只能用来签发自己所在 namespace 下的证书,ClusterIssuer 可以签发任意 namespace 下的证书,这里以 Issuer 为例

    生成签名密钥对

    # Generate a CA private key
    $ openssl genrsa -out ca.key 2048
    
    # Create a self signed Certificate, valid for 10yrs with the 'signing' option set
    $ openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt
    

    将签名密钥对保存为Secret

    kubectl create secret tls ca-key-pair 
       --cert=ca.crt 
       --key=ca.key 
       --namespace=default
    

    创建一个签发机构:

    [root@kubeadm-master cert-manager]# cat issuer.yaml 
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Issuer
    metadata:
      name: ca-issuer
    spec:
      ca:
        secretName: ca-key-pair
    
    [root@kubeadm-master cert-manager]# kubectl apply -f issuer.yaml
    
    

    创建Certificate

    有了签发机构,接下来我们就可以生成免费证书了,cert-manager 给我们提供了 Certificate 这个用于生成证书的自定义资源对象,它必须局限在某一个 namespace 下,证书最终会在这个 namespace 下以 Secret 的资源对象存储,创建一个 Certificate 对象:

    [root@kubeadm-master cert-manager]# cat local-nginx.yaml 
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
      name: example-com
      namespace: default
    spec:
      secretName: example-com-tls
      issuerRef:
        name: ca-issuer
        kind: Issuer
      commonName: ning.com
      organization:
      - CA
      dnsNames:
      - ning.com
      - nginx.ning.com
    [root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml 
    

    测试Ingress使用https

    创建一个nginx

    [root@kubeadm-master cert-manager]# cat nginx.yaml 
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: my-nginx
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            run: my-nginx
        spec:
          containers:
          - name: my-nginx
            image: nginx
            ports:
            - containerPort: 80
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: my-nginx
      labels:
        app: my-nginx
    spec:
      ports:
      - port: 80
        protocol: TCP
        name: http
      selector:
        run: my-nginx
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: my-nginx
      annotations:
        kubernetes.io/ingress.class: "nginx"
        kubernetes.io/tls-acme: "true"
        certmanager.k8s.io/issuer: "ca-issuer"
    spec:
      rules:
      - host: nginx.ning.com
        http:
          paths:
          - backend:
              serviceName: my-nginx
              servicePort: 80
            path: /
      tls:
      - secretName: nginx-secret
        hosts:
        - nginx.ning.com
    
    [root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml 
    

    最后,我们来打开浏览器使用https访问服务

  • 相关阅读:
    7.9学习日志
    7.8学习日志
    7.7学习日志
    未命名 1
    未命名 1
    未命名 1
    【转】搭建Mac OS X下cocos2d-x的Android开发环境
    【转】如何高效利用GitHub——2013-08-28 22
    【转】GitHub删除一个仓库——2013-08-27 21
    【转】Cocos2d-x 2.x CCSprite 灰白图的生成(利用shader设置)——2013-08-27 21
  • 原文地址:https://www.cnblogs.com/blackmood/p/11425366.html
Copyright © 2020-2023  润新知