使用cert-manager和hashicorp vault 来管理集群的内部自签名SSL
前半部分会介绍一些原理性的内容,后半部分是环境中的实际应用。
正常的自签名证书流程如下:
使用cert-manager签名的证书流程
cert-manager 资源类型:
ClusterIssuer: defined CAs that are able to signed certificate , that is ready condition for cert-manager
cert-manager controller: handle certificate request and generate the secret corresponding to the certificate
certificate: define a desired X.509 certificate(tls.crt and tls.key) which will be renewed and kept up to date that is issued by cluster issuer.
ca-injector: are used to configure how the Kubernetes API server connects to webhooks
webhook: cert-manager makes use of extending the Kubernetes API server using a Webhook server to provide dynamic admission control over cert-manager resources
根据官方文档解释: https://cert-manager.io/docs/concepts/certificate/#certificate-lifecycle
lifecycle解释了K8S内部证书到期是怎么进行renew的,下面的是我从官网粘贴出来的
以上为一些原理性知识,下面是环境中实际使用的cert-manager和vault结合的案例
职责分配:
1. 使用hashicorp vault 作为签证书的issuer
2. 使用cer-manager部署在K8S集群中来定期监控证书有效期,状态,以及去vault进行签名
定义cluster issuer:
vmadmin@jumpbox:~$ kubectl get clusterissuer -n cert-manager NAME AGE vault-issuer 512d
vmadmin@jumpbox:~$ kubectl get clusterissuer vault-issuer -n cert-manager -o yamlapiVersion: certmanager.k8s.io/v1alpha1kind: ClusterIssuermetadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"vault-issuer"},"spec":{"vault":{"auth":{"appRole":{"path":"approle","roleId":"64c3666d-7c2c-a689-753a-33891b3dfbd5","secretRef":{"key":"secretId","name":"cert-manager-vault-secret"}},"tokenSecretRef":{"name":""}},"caBundle":"LS0tLSo=","path":"pki_int/sign/12331","server":"https://vault.com.cn:8206"}}} creationTimestamp: "2020-08-25T07:39:20Z" #server是vault的地址,在部署cert-manager之前,你需要现有一个vault server ,vault会提供一个pki系统来签证书 generation: 3 name: vault-issuer resourceVersion: "19875" selfLink: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/vault-issuer uid: 90f5e84a-e337-4fcd-9deb-f8811131fb0fspec: vault: auth: appRole: path: approle roleId: 64c3666d-7c2c-a689-753a-33891b3dfbd5 secretRef: key: secretId name: cert-manager-vault-secret tokenSecretRef: name: "" caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR path: pki_int/sign/12331 server: https://vault.com.cn:8206status: conditions: - lastTransitionTime: "2020-08-25T08:14:25Z" message: Vault verified reason: VaultVerified status: "True" type: Ready#certificate 定义了哪些secret需要被更新,其中包含一些配置下面的注释中会介绍
vmadmin@umpbox:~$ kubectl get certificateNAME READY SECRET AGEabba True abba 39dabba True abba 39dvmadmin@umpbox:~$ kubectl get certificate tprt -o yamlapiVersion: certmanager.k8s.io/v1alpha1kind: Certificatemetadata: creationTimestamp: "2021-04-27T02:50:22Z" generation: 8 name: tprt #定义这个cert的名字 namespace: default resourceVersion: "206213505" selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tprt-87701-portal-val-tprt-service.nazgul.app uid: 01b7a632-79cc-4c07-b5b8-1211fe7c512dspec: dnsNames: - tprt.com.cn #定义你想要生成出来的CN是什么 比如baidu.com也可以 issuerRef: kind: ClusterIssuer #类型为cluster issuer ,这样可以不用区分namespace name: vault-issuer #这个是cluster issuer的名字 keySize: 4096 secretName: tprt-secret #生成出来的secret叫什么status: conditions: - lastTransitionTime: "2021-06-23T03:23:56Z" message: Certificate is up to date and has not expired reason: Ready status: "True" type: Ready notAfter: "2022-03-20T03:24:02Z"vmadmin@app-corebe-jumpbox:~$ kubectl get secret tprt-secretNAME TYPE DATA AGEtprt-secret kubernetes.io/tls 3 211d
至此,哪个pod需要绑定这个secret,就可以在deployment中进行配置。
