[TOC]
配置頒發者后,您就可以頒發證書了!
通過 cert-manager 請求證書有多種用例和方法:
- Certificate Resources: 請求簽名證書的最簡單且最常見的方法。
- Securing Ingress Resources: 一種保護集群中入口資源的方法。
- Securing OpenFaaS functions: 使用 cert-manager 保護您的 OpenFaaS 服務。
- Integration with Garden: Garden 是一個用于開發 Kubernetes 應用程序的開發人員工具,它對集成證書管理器具有一流的支持。
- Securing Knative: 使用受信任的 HTTPS 證書保護您的 Knative 服務。
- Enable mTLS on Pods with CSI: 使用 cert-manager CSI 驅動程序提供共享 Pod 生命周期的唯一密鑰和證書。
- Securing Istio Gateway: 使用 cert-manager 保護 Kubernetes 中的 Istio 網關。
- Securing Istio Service Mesh: 使用 cert-manager Istio 集成,通過 cert-manager 托管證書保護每個 pod 的 mTLS PKI。
- Policy for cert-manager certificates: 通過自定義資源定義的策略管理可以簽署或拒絕哪些證書管理器證書。
這里只有示例兩種方法,分別是 `Certificate Resources`, `Ingress Resources` 方法
# Certificate Resources
1. 創建證書
```shell
cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-dns-cert
namespace: default
spec:
# secret名稱
secretName: test-dns-cert
# X509v3 主題名稱
commonName: ecloud.com
subject:
countries:
- CN
provinces:
- GuangDong
localities:
- GuangZhou
organizations:
- k8s
# 私鑰配置
privateKey:
rotationPolicy: Always
algorithm: ECDSA
encoding: PKCS8
size: 256
usages:
- server auth
- client auth
# 證書有效期
# 默認是90天,證書輪換規則有效期的 2/3 或到期前的 renewBefore 期間進行續訂, 以較晚者為準
duration: 8760h # 365d
renewBefore: 4320h # 180d
# X509v3 主題備用名稱
dnsNames:
- "*.ecloud.com"
ipAddresses:
- "127.0.0.1"
# 指定issuer名稱
issuerRef:
name: ca-cluster-issuer
kind: ClusterIssuer
EOF
```
2. 查看證書
>[info] 觀察 `Issuer`、`Validity`、`Subject` 以及 `X509v3 Subject Alternative Name` 字段
```shell
$ kubectl get secret test-dns-cert -ojsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
41:b7:a7:ed:c6:8d:01:98:71:59:c9:6c:7d:10:eb:b8
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ecloud-ca
Validity
Not Before: Sep 8 07:57:28 2023 GMT
Not After : Sep 7 07:57:28 2024 GMT
Subject: C=CN, ST=GuangDong, L=GuangZhou, O=k8s, CN=ecloud.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:6b:b8:e9:ae:c2:5b:91:ce:54:0a:c6:d6:b6:8e:
9c:d3:68:f8:be:a4:31:9a:61:44:38:dd:50:5d:33:
a5:4f:09:d7:74:d5:83:f6:1f:14:27:cc:59:6d:1b:
8d:b9:1c:48:18:0b:a6:ed:c8:5b:79:79:94:42:db:
67:aa:2c:9d:cf
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:EB:6B:58:6F:39:FB:8E:12:83:35:3D:6C:27:16:C3:EF:D6:88:81:51
X509v3 Subject Alternative Name:
DNS:*.ecloud.com, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
08:a8:f2:36:4a:7b:6c:3b:58:f0:d3:e4:b7:4c:e1:cf:58:98:
ee:74:af:a6:51:50:d5:02:ab:17:9a:8e:bf:bf:e8:76:95:17:
83:07:72:45:19:6f:59:f4:35:c4:ca:b4:b7:a2:96:d6:58:21:
25:32:45:5b:96:08:93:94:82:33:a9:c6:cb:8f:61:0d:db:d2:
c4:17:a5:3c:cd:f1:6b:d3:15:28:92:9f:92:b6:0e:aa:3e:5d:
78:80:74:97:f5:17:0c:3d:96:17:73:7f:7d:8d:f0:82:ff:0f:
b8:49:48:b1:be:01:9b:21:84:58:cc:92:1c:74:33:5c:7f:1b:
95:88:96:88:03:71:c9:fe:bf:d8:c7:37:37:83:83:45:8f:32:
ba:fb:93:3f:7e:0d:ed:66:11:d2:9e:36:97:b1:f2:9d:91:51:
73:1c:3a:5e:19:2e:da:4d:25:f1:4a:0a:ac:88:26:18:60:65:
0d:21:3a:51:ba:81:8e:46:c9:90:04:96:44:04:76:20:f5:df:
1f:9a:f7:ac:9b:bb:99:5a:7a:5d:65:f0:ce:89:47:01:74:45:
47:23:8a:de:f0:70:ac:e5:2c:bf:23:56:27:f0:d7:41:6d:6e:
19:fb:d9:a4:b6:dd:f0:bc:03:7a:1e:9f:17:11:6a:60:49:cf:
da:e8:fe:9d
```
3. 清理環境
>[info] 刪除ingress會自動刪除certificates,但不會清理secret的證書
```shell
$ kubectl delete certs test-dns-cert
$ kubectl delete secret test-dns-cert
```
# Ingress Resources
1. 創建ingress,觸發創建certificates
>[info] ingress可用注解請查看 [cert-manager官方文檔](https://cert-manager.io/docs/usage/ingress/#supported-annotations)
```shell
cat <<'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
cert-manager.io/common-name: "nginx"
cert-manager.io/subject-organizations: "k8s"
cert-manager.io/duration: "8760h"
cert-manager.io/renew-before: "4320h"
name: nginx-test
spec:
rules:
- host: nginx.ecloud.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- nginx.ecloud.com
secretName: test-nginx-cert
EOF
```
2. 查看證書
>[info] 觀察 `Issuer`、`Validity`、`Subject` 以及 `X509v3 Subject Alternative Name` 字段
```shell
$ kubectl get secret test-nginx-cert -ojsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:3a:74:c9:04:c8:dd:8e:ff:e8:fe:52:71:75:65:f8
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=k8s, CN=nginx
Validity
Not Before: Sep 8 08:18:08 2023 GMT
Not After : Sep 7 08:18:08 2024 GMT
Subject: O=k8s, CN=nginx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:c0:fa:4c:d3:14:61:99:14:49:41:5d:2d:6b:
b9:15:bd:99:8a:fe:ab:05:50:00:a0:0f:a2:b7:f6:
4b:9a:91:70:05:c4:21:3b:eb:3f:ec:57:06:bd:7f:
52:df:c9:1a:6a:23:b3:d3:7d:c4:a0:36:ea:b3:11:
11:28:3f:29:fc:fb:5a:7e:32:40:a6:79:8b:bb:15:
ea:91:98:f2:6d:76:04:c1:48:bf:cb:f9:46:72:64:
a4:e1:cb:ea:49:f9:df:af:8d:12:ff:02:d7:af:29:
c9:76:c9:6c:78:3a:1b:34:d3:15:f1:51:d7:99:86:
39:4e:b3:b4:06:9b:d0:2f:98:00:e1:76:3a:2f:e4:
02:45:1e:c3:9a:d8:a9:34:a6:d3:88:1d:05:21:a1:
68:24:13:f6:42:1f:66:a6:a1:d8:96:f6:ed:8b:e4:
de:04:16:e5:19:ac:98:6f:5e:7a:64:3d:6a:70:d5:
f7:9e:d3:df:4e:32:06:c9:a2:23:e1:a3:5f:4f:77:
10:20:f3:f2:db:54:46:54:89:42:7f:79:7d:69:46:
76:b8:07:a6:5b:9b:76:d8:d7:7f:0b:35:1a:d5:08:
c3:7b:3b:db:2a:23:4f:ea:75:4a:43:3c:83:59:6f:
0c:1c:ff:fa:cc:b7:d6:25:c6:5b:bb:4b:cd:d0:23:
1d:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:nginx.ecloud.com
Signature Algorithm: sha256WithRSAEncryption
76:64:39:98:c2:44:44:8d:32:7a:e5:84:27:14:cc:58:32:39:
30:39:d1:8e:29:05:65:15:99:6e:79:56:18:f5:57:1a:6a:32:
f4:09:87:b0:39:e2:8a:87:10:84:c3:ee:89:b8:75:a8:c9:33:
8b:8d:55:a4:c8:8a:8b:65:82:a9:33:b2:ba:a0:50:d6:17:05:
6f:28:67:bc:61:3e:47:7f:29:fd:98:74:13:20:9c:44:b1:30:
9e:f2:36:e7:17:9f:3e:a9:29:d5:d1:c4:f4:46:2a:d6:1c:d9:
6a:5e:cf:c0:5f:04:49:fa:95:a0:40:52:06:af:8b:55:41:0a:
fc:0e:57:b6:2d:77:27:8e:79:af:25:66:a3:0f:e6:df:da:96:
6f:77:41:3d:cc:47:49:73:7a:65:5b:4c:2a:19:09:23:b0:53:
99:00:1c:3b:08:ab:55:5e:37:5f:8b:a6:dc:ca:8b:53:3f:b8:
fe:2d:7e:87:e4:41:e4:d8:28:e3:fa:34:78:41:56:04:15:c6:
f7:2d:00:14:2c:ef:f2:a8:7c:25:04:66:ca:b7:4f:f4:2b:fc:
d2:1e:be:dd:67:bd:7e:5e:c2:b6:ae:74:1a:78:fd:30:8b:2c:
a6:55:1e:8c:da:c5:71:34:fa:a9:8d:f1:b8:75:b1:54:c5:18:
6e:b3:94:4a
```
3. 清理環境
>[info] 刪除ingress會自動刪除certificates,但不會清理secret的證書
```shell
$ kubectl delete ingress nginx-test
$ kubectl delete secret test-nginx-cert
```
- 前言
- 架構
- 部署
- kubeadm部署
- kubeadm擴容節點
- 二進制安裝基礎組件
- 添加master節點
- 添加工作節點
- 選裝插件安裝
- Kubernetes使用
- k8s與dockerfile啟動參數
- hostPort與hostNetwork異同
- 應用上下線最佳實踐
- 進入容器命名空間
- 主機與pod之間拷貝
- events排序問題
- k8s會話保持
- 容器root特權
- CNI插件
- calico
- calicoctl安裝
- calico網絡通信
- calico更改pod地址范圍
- 新增節點網卡名不一致
- 修改calico模式
- calico數據存儲遷移
- 啟用 kubectl 來管理 Calico
- calico卸載
- cilium
- cilium架構
- cilium/hubble安裝
- cilium網絡路由
- IP地址管理(IPAM)
- Cilium替換KubeProxy
- NodePort運行DSR模式
- IP地址偽裝
- ingress使用
- nginx-ingress
- ingress安裝
- ingress高可用
- helm方式安裝
- 基本使用
- Rewrite配置
- tls安全路由
- ingress發布管理
- 代理k8s集群外的web應用
- ingress自定義日志
- ingress記錄真實IP地址
- 自定義參數
- traefik-ingress
- traefik名詞概念
- traefik安裝
- traefik初次使用
- traefik路由(IngressRoute)
- traefik中間件(middlewares)
- traefik記錄真實IP地址
- cert-manager
- 安裝教程
- 頒布者CA
- 創建證書
- 外部存儲
- 對接NFS
- 對接ceph-rbd
- 對接cephfs
- 監控平臺
- Prometheus
- Prometheus安裝
- grafana安裝
- Prometheus配置文件
- node_exporter安裝
- kube-state-metrics安裝
- Prometheus黑盒監控
- Prometheus告警
- grafana儀表盤設置
- 常用監控配置文件
- thanos
- Prometheus
- Sidecar組件
- Store Gateway組件
- Querier組件
- Compactor組件
- Prometheus監控項
- grafana
- Querier對接grafana
- alertmanager
- Prometheus對接alertmanager
- 日志中心
- filebeat安裝
- kafka安裝
- logstash安裝
- elasticsearch安裝
- elasticsearch索引生命周期管理
- kibana安裝
- event事件收集
- 資源預留
- 節點資源預留
- imagefs與nodefs驗證
- 資源預留 vs 驅逐 vs OOM
- scheduler調度原理
- Helm
- Helm安裝
- Helm基本使用
- 安全
- apiserver審計日志
- RBAC鑒權
- namespace資源限制
- 加密Secret數據
- 服務網格
- 備份恢復
- Velero安裝
- 備份與恢復
- 常用維護操作
- container runtime
- 拉取私有倉庫鏡像配置
- 拉取公網鏡像加速配置
- runtime網絡代理
- overlay2目錄占用過大
- 更改Docker的數據目錄
- Harbor
- 重置Harbor密碼
- 問題處理
- 關閉或開啟Harbor的認證
- 固定harbor的IP地址范圍
- ETCD
- ETCD擴縮容
- ETCD常用命令
- ETCD數據空間壓縮清理
- ingress
- ingress-nginx header配置
- kubernetes
- 驗證yaml合法性
- 切換KubeProxy模式
- 容器解析域名
- 刪除節點
- 修改鏡像倉庫
- 修改node名稱
- 升級k8s集群
- 切換容器運行時
- apiserver接口
- 其他
- 升級內核
- k8s組件性能分析
- ETCD
- calico
- calico健康檢查失敗
- Harbor
- harbor同步失敗
- Kubernetes
- 資源Terminating狀態
- 啟動容器報錯