cert-manager - kubernetes 集群中 TLS 证书管理工具
cert-manager 官网cert-manager githubcert-manager 文档cert-manage是一个功能强大且可扩展的 X.509 证书控制器,适用于 Kubernetes 和 OpenShift 工作负载。- 它将从各种颁发者(包括:
Let's Encrypt、HashiCorp Vault、Venafi和有 PKI)获取证书,并确保证书有效且是最新的,并将尝试在到期前的配置时间续订证书。- 使用
cert-manager的Certificate资源,私钥和证书存储在 KubernetesSecret中,该Secret由应用程序Pod挂载或由Ingress控制器使用。
- 使用
csi-driver、csi-driver-spiffe或istio-csr,私钥是在应用程序启动之前按需生成的;私钥永远不会离开节点,也不会存储在 Kubernetes Secret 中。cert-manager于 2020 年捐赠给 CNCF。
安装 crds
https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.crds.yaml
检查是否有 crds 了
k get crds | grep cert-manager
没有的话就安装一下
k apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.crds.yaml
安装 cert-manager
https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
k apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
yaml 里面安装的 rbac 比较多
namespace/cert-manager created
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged
serviceaccount/cert-manager-cainjector created
serviceaccount/cert-manager created
serviceaccount/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-cluster-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
过两分钟检查一下服务是不是都起来了,这个主要看网络,看镜像的拉取速度了,默认的 namespace 是 cert-manager
k get pod -n cert-manager
总共启动了三个 pod
NAME READY STATUS RESTARTS AGE
cert-manager-cainjector-5fd6444f95-26lj6 1/1 Running 0 2m5s
cert-manager-d894bbbd4-p54cz 1/1 Running 0 2m5s
cert-manager-webhook-869674f96f-bjff6 1/1 Running 0 2m5s
创建证书
cat <<EOF | k create -f -
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress-nginx-root-cert
namespace: ingress-nginx
spec:
# 将证书生成的为 secret 的名字
secretName: ingress-nginx-root-cert
# 证书有效期
duration: "87660h"
# 颁发者的信息,对应下面的 Issuer 这个对象
issuerRef:
name: ingress-nginx-self-signed-issuer
commonName: "ca.webhook.ingress-nginx"
# 是否 CA 证书
isCA: true
subject:
organizations:
- ingress-nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
secretName: ingress-nginx-admission
duration: "87660h"
issuerRef:
name: ingress-nginx-root-issuer
dnsNames:
- ingress-nginx-controller-admission
- ingress-nginx-controller-admission.ingress-nginx
- ingress-nginx-controller-admission.ingress-nginx.svc
subject:
organizations:
- ingress-nginx-admission
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ingress-nginx-self-signed-issuer
namespace: ingress-nginx
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ingress-nginx-root-issuer
namespace: ingress-nginx
spec:
ca:
secretName: ingress-nginx-root-cert
EOF
查看 secret 就可以看到是否创建成功了
k get secret -n ingress-nginx
看到上面创建的 secret 了
NAME TYPE DATA AGE
ingress-nginx-admission kubernetes.io/tls 3 1s
ingress-nginx-root-cert kubernetes.io/tls 3 6s
