一、添加cert-manager 仓库
#添加 kubernetes-dashboard helm chart
helm repo add jetstack https://charts.jetstack.io
# 更新下仓库
helm repo update
#查询repo
helm repo list
二、部暑cert-manager
#指定变量
pro=cert-manager
chart_version=v1.7.2
mkdir -p /data/$pro
cd /data/$pro
#下载traefik2
helm pull jetstack/$pro --version=$chart_version
#提取values.yaml文件
tar zxvf $pro-$chart_version.tgz --strip-components 1 $pro/values.yaml
cat > /data/$pro/start.sh << EOF
helm upgrade --wait --create-namespace --install $pro $pro-$chart_version.tgz \
-f values.yaml \
-n cert-manager \
--create-namespace \
--set installCRDs=true
EOF
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
bash /data/$pro/start.sh
四、配置values.yaml
选择部分配置
replicaCount: 1
五、使用自签证书
#参考:https://cert-manager.io/docs/configuration/selfsigned/
#创建ca-issuer
cat > /data/cert-manager/ca-sign.yaml << 'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: cert-manager
spec:
selfSigned: {}
EOF
kubectl apply -f /data/cert-manager/ca-sign.yaml
#创建Certificate资源
cat >/data/cert-manager/Certificate.yaml<< EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kids-cn
namespace: kube-system
spec:
secretName: kids-cn-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
privateKey:
algorithm: ECDSA
size: 256
# algorithm: RSA
# encoding: PKCS1
# size: 2048
issuerRef:
name: ca-issuer
kind: ClusterIssuer
group: cert-manager.io
commonName: kids.cn
dnsNames:
- kids.cn
- www.kids.cn
- traefik.kids.cn
ipAddresses:
- 127.0.0.1
EOF
kubectl apply -f /data/cert-manager/Certificate.yaml
- 验证
#查询到cert-manager生成的证书secret:
kubectl -n kube-system describe secret kids-cn-tls
Name: kids-cn-tls
Namespace: kube-system
Labels: <none>
Annotations: cert-manager.io/alt-names: kids.cn,www.kids.cn
cert-manager.io/certificate-name: kids-cn
cert-manager.io/common-name: kids.cn
cert-manager.io/ip-sans:
cert-manager.io/issuer-group:
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: ca-issuer
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
ca.crt: 1078 bytes
tls.crt: 1078 bytes
tls.key: 1675 bytes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cnblogs-ingress
spec:
ingressClassName: nginx
rules:
- host: www.kids.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashboard-metrics-scraper
port:
number: 8000
tls:
- hosts:
- www.kids.cn
secretName: kids-cn-tls
ingress自动获取cert-manager的ca-issuer
参考:https://cert-manager.io/docs/usage/ingress/
cat > kibana-ingress.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# 指定 cert-manager 的 ClusterIssuer 的名称
cert-manager.io/cluster-issuer: ca-issuer
# 强制的从 HTTP 重定向刀 HTTPS
ingress.kubernetes.io/ssl-redirect: "true"
# 可选
#kubernetes.io/tls-acme: "true"
name: kibana-ingress
namespace: elasticsearch
spec:
ingressClassName: nginx
rules:
- host: kibana.kids.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kibana
port:
number: 5601
tls:
- hosts:
- kibana.kids.cn
secretName: kibana-kids-cn-tls
EOF
例子:创建100年有效期CA证书
1)、创建ca-config.json
cat > ca-config.json << 'EOF'
{
"signing":{
"default":{
"expiry":"876000h"
},
"profiles":{
"etcd":{
"expiry":"438000h",
"usages":[
"server auth",
"client auth",
"key encipherment"
]
},
"master":{
"expiry":"438000h",
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"node":{
"expiry":"438000h",
"usages":[
"server auth",
"key encipherment",
"client auth"
]
}
}
}
}
EOF
2)、创建ca-csr.json
cat > ca-csr.json << 'EOF'
{
"CN":"kubernetes",
"key":{
"algo":"rsa",
"size":4096
},
"names":[
{
"C":"CN",
"ST":"GuangDong",
"L":"GuangZhou",
"O":"Digitalgd",
"OU":"CADP"
}
],
"ca":{
"expiry":"876000h"
}
}
EOF
3)、生成CA证书
#使用cfssl生成CA证书
cfssl gencert -config=./ca-config.json -initca ca-csr.json | cfssljson -bare ca
#在kubernetes的空间cert-manager中创建secret : ca-key-pair
kubectl -n cert-manager create secret tls ca-key-pair --cert=ca.pem --key=ca-key.pem
4)、使用cert-manager创建ClusterIssuer
cat > /data/cert-manager/ca-sign.yaml << 'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: cert-manager
spec:
ca:
secretName: ca-key-pair #使用上边创建 secret
EOF
kubectl apply -f ca-sign.yaml
5)、使用cert-manager创建Certificate
cat > Certificate.yaml << 'EOF'
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kids-cn
namespace: kube-system
spec:
secretName: kids-cn-tls #创建证书的secret
duration: 17520h #证书有效期2年
renewBefore: 360h #在失效前15天自动更新
privateKey:
algorithm: ECDSA
size: 384
# algorithm: RSA
# encoding: PKCS1
# size: 2048
issuerRef:
name: ca-issuer
kind: ClusterIssuer
group: cert-manager.io
commonName: kids.cn #CN
dnsNames: #以下是SAN
- kids.cn
- www.kids.cn
- traefik.kids.cn
ipAddresses:
- 127.0.0.1
EOF
kubectl apply -f Certificate.yaml
6、查看证书
kubectl get secrets -n kube-system kids-cn-tls -o json | jq '.data."tls.crt"' | xargs echo | base64 --decode