[TOC] # SelfSigned ?? SelfSigned 頒發者本身并不代表證書頒發機構，而是表示證書將使用給定的私鑰“對自己進行簽名”。 換句話說，證書的私鑰將用于對證書本身進行簽名。 >[info] 每個簽的證書，對應的ca都不是同一個。 ```shell cat <<'EOF' | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned-cluster-issuer spec: selfSigned: {} EOF ``` # CA ?? CA 頒發者代表證書頒發機構，其證書和私鑰作為 Kubernetes 存儲在集群內Secret 0. 生成ca證書 ```shell mkdir /tmp/pki && cd /tmp/pki openssl genrsa -out ca.key 2048 cat <<-EOF | sudo tee ca-csr.conf > /dev/null [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] CN = ecloud-ca [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = ecloud-ca [ v3_ext ] keyUsage=Digital Signature, Key Encipherment, Certificate Sign basicConstraints=CA:TRUE subjectKeyIdentifier=hash subjectAltName=@alt_names EOF openssl req -x509 -new -nodes -key ca.key -days 36500 -out ca.crt -config ca-csr.conf -extensions v3_ext ``` 1. 將ca證書保存secret里面 >[danger] secret需要保存在安裝cert-manager程序的命名空間下，這里保存的是 `kube-system` 命名空間，請改成實際安裝的命名空間 ```shell kubectl -n kube-system create secret tls ca-key-pair --cert=/tmp/pki/ca.crt --key=/tmp/pki/ca.key # 確認secret創建情況 kubectl -n kube-system get secret --field-selector type=kubernetes.io/tls ``` 2. 創建clusterissuer ```shell cat <<'EOF' | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: ca-cluster-issuer spec: ca: secretName: ca-key-pair EOF ```