[TOC] 配置頒發者后，您就可以頒發證書了！ 通過 cert-manager 請求證書有多種用例和方法： - Certificate Resources: 請求簽名證書的最簡單且最常見的方法。 - Securing Ingress Resources: 一種保護集群中入口資源的方法。 - Securing OpenFaaS functions: 使用 cert-manager 保護您的 OpenFaaS 服務。 - Integration with Garden: Garden 是一個用于開發 Kubernetes 應用程序的開發人員工具，它對集成證書管理器具有一流的支持。 - Securing Knative: 使用受信任的 HTTPS 證書保護您的 Knative 服務。 - Enable mTLS on Pods with CSI: 使用 cert-manager CSI 驅動程序提供共享 Pod 生命周期的唯一密鑰和證書。 - Securing Istio Gateway: 使用 cert-manager 保護 Kubernetes 中的 Istio 網關。 - Securing Istio Service Mesh: 使用 cert-manager Istio 集成，通過 cert-manager 托管證書保護每個 pod 的 mTLS PKI。 - Policy for cert-manager certificates: 通過自定義資源定義的策略管理可以簽署或拒絕哪些證書管理器證書。 這里只有示例兩種方法，分別是 `Certificate Resources`, `Ingress Resources` 方法 # Certificate Resources 1. 創建證書 ```shell cat <<'EOF' | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-dns-cert namespace: default spec: # secret名稱 secretName: test-dns-cert # X509v3 主題名稱 commonName: ecloud.com subject: countries: - CN provinces: - GuangDong localities: - GuangZhou organizations: - k8s # 私鑰配置 privateKey: rotationPolicy: Always algorithm: ECDSA encoding: PKCS8 size: 256 usages: - server auth - client auth # 證書有效期 # 默認是90天，證書輪換規則有效期的 2/3 或到期前的 renewBefore 期間進行續訂， 以較晚者為準 duration: 8760h # 365d renewBefore: 4320h # 180d # X509v3 主題備用名稱 dnsNames: - "*.ecloud.com" ipAddresses: - "127.0.0.1" # 指定issuer名稱 issuerRef: name: ca-cluster-issuer kind: ClusterIssuer EOF ``` 2. 查看證書 >[info] 觀察 `Issuer`、`Validity`、`Subject` 以及 `X509v3 Subject Alternative Name` 字段 ```shell $ kubectl get secret test-dns-cert -ojsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 41:b7:a7:ed:c6:8d:01:98:71:59:c9:6c:7d:10:eb:b8 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ecloud-ca Validity Not Before: Sep 8 07:57:28 2023 GMT Not After : Sep 7 07:57:28 2024 GMT Subject: C=CN, ST=GuangDong, L=GuangZhou, O=k8s, CN=ecloud.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:6b:b8:e9:ae:c2:5b:91:ce:54:0a:c6:d6:b6:8e: 9c:d3:68:f8:be:a4:31:9a:61:44:38:dd:50:5d:33: a5:4f:09:d7:74:d5:83:f6:1f:14:27:cc:59:6d:1b: 8d:b9:1c:48:18:0b:a6:ed:c8:5b:79:79:94:42:db: 67:aa:2c:9d:cf ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:EB:6B:58:6F:39:FB:8E:12:83:35:3D:6C:27:16:C3:EF:D6:88:81:51 X509v3 Subject Alternative Name: DNS:*.ecloud.com, IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption 08:a8:f2:36:4a:7b:6c:3b:58:f0:d3:e4:b7:4c:e1:cf:58:98: ee:74:af:a6:51:50:d5:02:ab:17:9a:8e:bf:bf:e8:76:95:17: 83:07:72:45:19:6f:59:f4:35:c4:ca:b4:b7:a2:96:d6:58:21: 25:32:45:5b:96:08:93:94:82:33:a9:c6:cb:8f:61:0d:db:d2: c4:17:a5:3c:cd:f1:6b:d3:15:28:92:9f:92:b6:0e:aa:3e:5d: 78:80:74:97:f5:17:0c:3d:96:17:73:7f:7d:8d:f0:82:ff:0f: b8:49:48:b1:be:01:9b:21:84:58:cc:92:1c:74:33:5c:7f:1b: 95:88:96:88:03:71:c9:fe:bf:d8:c7:37:37:83:83:45:8f:32: ba:fb:93:3f:7e:0d:ed:66:11:d2:9e:36:97:b1:f2:9d:91:51: 73:1c:3a:5e:19:2e:da:4d:25:f1:4a:0a:ac:88:26:18:60:65: 0d:21:3a:51:ba:81:8e:46:c9:90:04:96:44:04:76:20:f5:df: 1f:9a:f7:ac:9b:bb:99:5a:7a:5d:65:f0:ce:89:47:01:74:45: 47:23:8a:de:f0:70:ac:e5:2c:bf:23:56:27:f0:d7:41:6d:6e: 19:fb:d9:a4:b6:dd:f0:bc:03:7a:1e:9f:17:11:6a:60:49:cf: da:e8:fe:9d ``` 3. 清理環境 >[info] 刪除ingress會自動刪除certificates，但不會清理secret的證書 ```shell $ kubectl delete certs test-dns-cert $ kubectl delete secret test-dns-cert ``` # Ingress Resources 1. 創建ingress，觸發創建certificates >[info] ingress可用注解請查看 [cert-manager官方文檔](https://cert-manager.io/docs/usage/ingress/#supported-annotations) ```shell cat <<'EOF' | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer" cert-manager.io/common-name: "nginx" cert-manager.io/subject-organizations: "k8s" cert-manager.io/duration: "8760h" cert-manager.io/renew-before: "4320h" name: nginx-test spec: rules: - host: nginx.ecloud.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - hosts: - nginx.ecloud.com secretName: test-nginx-cert EOF ``` 2. 查看證書 >[info] 觀察 `Issuer`、`Validity`、`Subject` 以及 `X509v3 Subject Alternative Name` 字段 ```shell $ kubectl get secret test-nginx-cert -ojsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 9c:3a:74:c9:04:c8:dd:8e:ff:e8:fe:52:71:75:65:f8 Signature Algorithm: sha256WithRSAEncryption Issuer: O=k8s, CN=nginx Validity Not Before: Sep 8 08:18:08 2023 GMT Not After : Sep 7 08:18:08 2024 GMT Subject: O=k8s, CN=nginx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:c0:fa:4c:d3:14:61:99:14:49:41:5d:2d:6b: b9:15:bd:99:8a:fe:ab:05:50:00:a0:0f:a2:b7:f6: 4b:9a:91:70:05:c4:21:3b:eb:3f:ec:57:06:bd:7f: 52:df:c9:1a:6a:23:b3:d3:7d:c4:a0:36:ea:b3:11: 11:28:3f:29:fc:fb:5a:7e:32:40:a6:79:8b:bb:15: ea:91:98:f2:6d:76:04:c1:48:bf:cb:f9:46:72:64: a4:e1:cb:ea:49:f9:df:af:8d:12:ff:02:d7:af:29: c9:76:c9:6c:78:3a:1b:34:d3:15:f1:51:d7:99:86: 39:4e:b3:b4:06:9b:d0:2f:98:00:e1:76:3a:2f:e4: 02:45:1e:c3:9a:d8:a9:34:a6:d3:88:1d:05:21:a1: 68:24:13:f6:42:1f:66:a6:a1:d8:96:f6:ed:8b:e4: de:04:16:e5:19:ac:98:6f:5e:7a:64:3d:6a:70:d5: f7:9e:d3:df:4e:32:06:c9:a2:23:e1:a3:5f:4f:77: 10:20:f3:f2:db:54:46:54:89:42:7f:79:7d:69:46: 76:b8:07:a6:5b:9b:76:d8:d7:7f:0b:35:1a:d5:08: c3:7b:3b:db:2a:23:4f:ea:75:4a:43:3c:83:59:6f: 0c:1c:ff:fa:cc:b7:d6:25:c6:5b:bb:4b:cd:d0:23: 1d:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: DNS:nginx.ecloud.com Signature Algorithm: sha256WithRSAEncryption 76:64:39:98:c2:44:44:8d:32:7a:e5:84:27:14:cc:58:32:39: 30:39:d1:8e:29:05:65:15:99:6e:79:56:18:f5:57:1a:6a:32: f4:09:87:b0:39:e2:8a:87:10:84:c3:ee:89:b8:75:a8:c9:33: 8b:8d:55:a4:c8:8a:8b:65:82:a9:33:b2:ba:a0:50:d6:17:05: 6f:28:67:bc:61:3e:47:7f:29:fd:98:74:13:20:9c:44:b1:30: 9e:f2:36:e7:17:9f:3e:a9:29:d5:d1:c4:f4:46:2a:d6:1c:d9: 6a:5e:cf:c0:5f:04:49:fa:95:a0:40:52:06:af:8b:55:41:0a: fc:0e:57:b6:2d:77:27:8e:79:af:25:66:a3:0f:e6:df:da:96: 6f:77:41:3d:cc:47:49:73:7a:65:5b:4c:2a:19:09:23:b0:53: 99:00:1c:3b:08:ab:55:5e:37:5f:8b:a6:dc:ca:8b:53:3f:b8: fe:2d:7e:87:e4:41:e4:d8:28:e3:fa:34:78:41:56:04:15:c6: f7:2d:00:14:2c:ef:f2:a8:7c:25:04:66:ca:b7:4f:f4:2b:fc: d2:1e:be:dd:67:bd:7e:5e:c2:b6:ae:74:1a:78:fd:30:8b:2c: a6:55:1e:8c:da:c5:71:34:fa:a9:8d:f1:b8:75:b1:54:c5:18: 6e:b3:94:4a ``` 3. 清理環境 >[info] 刪除ingress會自動刪除certificates，但不會清理secret的證書 ```shell $ kubectl delete ingress nginx-test $ kubectl delete secret test-nginx-cert ```