helm安装cert-manager自动化 HTTPS
Helm安装cert-manager自动化 HTTPS
- 1. 安装CustomResourceDefinition资源
- 2. 创建cert-manager名称空间
- 3. 添加Jetstack Helm存储库
- 4. 安装证书管理器Helm图表
- 5. 验证安装
- 6. 创建签发机构
- 7. 创建证书资源(因为使用了自动TLS生成证书,这一步忽略)
- 8. 实际测试
注意:
- 集群必须已经装有
Ingress Controller,参考https://blog.csdn.net/qq_38983728/article/details/100902607- 外部客户端配置
hosts,IP 指向Ingress Controller对外暴露的地址(如果IP是公网地址并做了域名解析,则无需配置)
1. 安装CustomResourceDefinition资源
[root@master ~]# mkdir -p ~/i/master/cert-manager/ && cd ~/i/master/cert-manager/
[root@master cert-manager]# wget https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
[root@master cert-manager]# kubectl apply --validate=false -f 00-crds.yaml
2. 创建cert-manager名称空间
[root@master cert-manager]# kubectl create namespace cert-manager
3. 添加Jetstack Helm存储库
[root@master cert-manager]# helm repo add jetstack https://charts.jetstack.io
如果已经存在,更新您的本地Helm图表存储库缓存
[root@master cert-manager]# helm repo update
4. 安装证书管理器Helm图表
[root@master cert-manager]# helm install \
--name cert-manager \
--namespace cert-manager \
--set image.repository=registry.cn-shanghai.aliyuncs.com/wanfei/cert-manager-controller \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuer \
--version v0.12.0 \
jetstack/cert-manager
如果是helm3
helm install \
--name-template cert-manager \
--namespace cert-manager \
--set image.repository=registry.cn-shanghai.aliyuncs.com/wanfei/cert-manager-controller \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuer \
--version v0.12.0 \
jetstack/cert-manager
--set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer:用于全自动TLS,在ingress.yaml中配置kubernetes.io/tls-acme: "true"后会自动创建证书- 镜像
quay.io/jetstack/cert-manager-webhook:v0.12.0下载很慢,可以使用阿里云的镜像
5. 验证安装
一旦安装了cert-manager,您可以通过检查cert-manager运行Pod 的名称空间来验证它是否已正确部署:
[root@master cert-manager]# kubectl get pods --namespace cert-manager -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cert-manager-8d4ccddb9-fxmfd 1/1 Running 0 5m35s 192.168.219.115 master
cert-manager-cainjector-df4dc78cd-bbctw 1/1 Running 0 5m35s 192.168.104.23 node2
cert-manager-webhook-5f78ff89bc-m95qd 1/1 Running 0 5m35s 192.168.219.116 master
[root@master cert-manager]# docker images
您应该看到cert-manager,cert-manager-cainjector和 cert-manager-webhook都是Running状态。设置网络挂钩所需的TLS资产可能需要一分钟左右的时间。这可能会导致Webhook首次启动需要比其他Pod更长的时间。如果您遇到问题,请查看FAQ指南。
以下步骤将确认正确设置了证书管理器并能够颁发基本证书类型。
创建一个ClusterIssuer以测试Webhook正常工作。
[root@master cert-manager]# cat < test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
commonName: example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF
创建测试资源
[root@master cert-manager]# kubectl apply -f test-resources.yaml
检查新创建证书的状态。您可能需要等待几秒钟,然后cert-manager才能处理证书请求。
[root@master cert-manager]# kubectl describe certificate.cert-manager.io -n cert-manager-test
Name: selfsigned-cert
Namespace: cert-manager-test
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"selfsigned-cert","namespace":"cert-mana...
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2019-12-11T08:23:18Z
Generation: 1
Resource Version: 2363190
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/cert-manager-test/certificates/selfsigned-cert
UID: 0c152ff9-184e-4b8f-9fe7-fc4fb4b2d86f
Spec:
Common Name: example.com
Issuer Ref:
Name: test-selfsigned
Secret Name: selfsigned-cert-tls
Status:
Conditions:
Last Transition Time: 2019-12-11T08:23:18Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2020-03-10T08:23:18Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 10s cert-manager Generated a new private key
Normal Requested 10s cert-manager Created new CertificateRequest resource "selfsigned-cert-2334779822"
Normal Issued 10s cert-manager Certificate issued successfully
清理测试资源。
[root@master cert-manager]# kubectl delete -f test-resources.yaml
如果以上所有步骤均已正确完成,则一切顺利!
6. 创建签发机构
[root@master cert-manager]# cat < production-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
EOF
# 运行
[root@master cert-manager]# kubectl create -f production-issuer.yaml
metadata.name是我们创建的签发机构的名称,后面我们创建证书的时候会引用它spec.acme.email是你自己的邮箱,证书快过期的时候会有邮件提醒,不过 cert-manager 会利用 acme 协议自动给我们重新颁发证书来续期spec.acme.server是 acme 协议的服务端,我们这里用 Let’s Encrypt,这个地址就写死成这样就行spec.acme.privateKeySecretRef指示此签发机构的私钥将要存储到哪个 Secret 对象中,名称不重要spec.acme.http01这里指示签发机构使用 HTTP-01 的方式进行 acme 协议 (还可以用 DNS 方式,acme 协议的目的是证明这台机器和域名都是属于你的,然后才准许给你颁发证书)
[root@master cert-manager]# kubectl get clusterissuer.cert-manager.io
NAME READY AGE
letsencrypt-prod True 3m46s
7. 创建证书资源(因为使用了自动TLS生成证书,这一步忽略)
[root@master cert-manager]# cat < cert.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: wanfei-wang
namespace: cert-manager
spec:
secretName: wanfei-wang-tls
keyEncoding: pkcs1
# At least one of a DNS Name, USI SAN, or IP address is required.
dnsNames:
- minio.wanfei.wang
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
EOF
参数列表信息介绍查看 https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1alpha2.CertificateSpec
创建
[root@master cert-manager]# kubectl apply -f cert.yaml
[root@master cert-manager]# kubectl get certificate.cert-manager.io -n cert-manager
NAME READY SECRET AGE
wanfei-wang True wanfei-wang-tls 3m15
8. 实际测试
上面我们已经安装了Cert manager,定义了ClusterIssuer,接下来我们来配置HTTPS 去访问我们的 Kubernetes Dashboard 的服务
#1.2 里面kubernetes.io/tls-acme: 'true'自动创建证书 https://blog.csdn.net/qq_38983728/article/details/103503900
参考 https://cert-manager.io/docs/installation/kubernetes/
参考 https://xuchao918.github.io/2019/03/14/%E4%BD%BF%E7%94%A8cert-manager%E5%AE%9E%E7%8E%B0Ingress-https/