cert-manager 官方文档
cert-manager github地址
部署cert-manager
使用helm安装cert-manager
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/00-crds.yaml
创建cert-manager namespace
kubectl create namespace cert-manager
标记cert-Manager命名空间以禁用资源验证
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
添加 Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
更新本地Helm chart repository
helm repo update
使用Helm chart安装cert-manager
helm install
--name cert-manager
--namespace cert-manager
--version v0.9.0
jetstack/cert-manager
查看cert-manager部署结果
[root@kubeadm-master cert-manager]# kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-7f6c7bd796-689l8 1/1 Running 1 178m
cert-manager-cainjector-5cd66c9c45-x5dqj 1/1 Running 2 178m
cert-manager-webhook-7bcfc678f6-zrqkn 1/1 Running 0 178m
创建ClusterIssuer
我们需要先创建一个签发机构,cert-manager 给我们提供了 Issuer 和 ClusterIssuer 这两种用于创建签发机构的自定义资源对象,Issuer 只能用来签发自己所在 namespace 下的证书,ClusterIssuer 可以签发任意 namespace 下的证书,这里以 Issuer 为例
生成签名密钥对
# Generate a CA private key
$ openssl genrsa -out ca.key 2048
# Create a self signed Certificate, valid for 10yrs with the 'signing' option set
$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt
将签名密钥对保存为Secret
kubectl create secret tls ca-key-pair
--cert=ca.crt
--key=ca.key
--namespace=default
创建一个签发机构:
[root@kubeadm-master cert-manager]# cat issuer.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: ca-issuer
spec:
ca:
secretName: ca-key-pair
[root@kubeadm-master cert-manager]# kubectl apply -f issuer.yaml
创建Certificate
有了签发机构,接下来我们就可以生成免费证书了,cert-manager 给我们提供了 Certificate 这个用于生成证书的自定义资源对象,它必须局限在某一个 namespace 下,证书最终会在这个 namespace 下以 Secret 的资源对象存储,创建一个 Certificate 对象:
[root@kubeadm-master cert-manager]# cat local-nginx.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: ca-issuer
kind: Issuer
commonName: ning.com
organization:
- CA
dnsNames:
- ning.com
- nginx.ning.com
[root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml
测试Ingress使用https
创建一个nginx
[root@kubeadm-master cert-manager]# cat nginx.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 1
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: my-nginx
labels:
app: my-nginx
spec:
ports:
- port: 80
protocol: TCP
name: http
selector:
run: my-nginx
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/issuer: "ca-issuer"
spec:
rules:
- host: nginx.ning.com
http:
paths:
- backend:
serviceName: my-nginx
servicePort: 80
path: /
tls:
- secretName: nginx-secret
hosts:
- nginx.ning.com
[root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml
最后,我们来打开浏览器使用https访问服务