cert-manager 官方文檔
cert-manager github地址
部署cert-manager
使用helm安裝cert-manager
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/00-crds.yaml
創建cert-manager namespace
kubectl create namespace cert-manager
標記cert-Manager命名空間以禁用資源驗證
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
添加 Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
更新本地Helm chart repository
helm repo update
使用Helm chart安裝cert-manager
helm install \
--name cert-manager \
--namespace cert-manager \
--version v0.9.0 \
jetstack/cert-manager
查看cert-manager部署結果
[root@kubeadm-master cert-manager]# kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-7f6c7bd796-689l8 1/1 Running 1 178m
cert-manager-cainjector-5cd66c9c45-x5dqj 1/1 Running 2 178m
cert-manager-webhook-7bcfc678f6-zrqkn 1/1 Running 0 178m
創建ClusterIssuer
我們需要先創建一個簽發機構,cert-manager 給我們提供了 Issuer 和 ClusterIssuer 這兩種用於創建簽發機構的自定義資源對象,Issuer 只能用來簽發自己所在 namespace 下的證書,ClusterIssuer 可以簽發任意 namespace 下的證書,這里以 Issuer 為例
生成簽名密鑰對
# Generate a CA private key
$ openssl genrsa -out ca.key 2048
# Create a self signed Certificate, valid for 10yrs with the 'signing' option set
$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt
將簽名密鑰對保存為Secret
kubectl create secret tls ca-key-pair \
--cert=ca.crt \
--key=ca.key \
--namespace=default
創建一個簽發機構:
[root@kubeadm-master cert-manager]# cat issuer.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: ca-issuer
spec:
ca:
secretName: ca-key-pair
[root@kubeadm-master cert-manager]# kubectl apply -f issuer.yaml
創建Certificate
有了簽發機構,接下來我們就可以生成免費證書了,cert-manager 給我們提供了 Certificate 這個用於生成證書的自定義資源對象,它必須局限在某一個 namespace 下,證書最終會在這個 namespace 下以 Secret 的資源對象存儲,創建一個 Certificate 對象:
[root@kubeadm-master cert-manager]# cat local-nginx.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: ca-issuer
kind: Issuer
commonName: ning.com
organization:
- CA
dnsNames:
- ning.com
- nginx.ning.com
[root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml
測試Ingress使用https
創建一個nginx
[root@kubeadm-master cert-manager]# cat nginx.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 1
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: my-nginx
labels:
app: my-nginx
spec:
ports:
- port: 80
protocol: TCP
name: http
selector:
run: my-nginx
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/issuer: "ca-issuer"
spec:
rules:
- host: nginx.ning.com
http:
paths:
- backend:
serviceName: my-nginx
servicePort: 80
path: /
tls:
- secretName: nginx-secret
hosts:
- nginx.ning.com
[root@kubeadm-master cert-manager]# kubectl apply -f local-nginx.yaml
最后,我們來打開瀏覽器使用https訪問服務