k8s1.18.20通过cert-manager、kubed实现三个月免费证书自动续签
k8s1.18.20通过cert-manager、kubed实现三个月免费证书自动续签
一、cert-manager部署
参考:k8s1.18.20:cert-manager 1.8 安装部署
二、申请免费证书-letsencrypt
2.1、创建ClusterIssuer
向letsencrypt申请三个月免费证书
[root@k8s-node ~]# cat clusterissuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
#server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
2.2、以HTTP-01方式申请域名证书
[root@k8s-node ~]# cat ssl.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ssl #证书名称
namespace: cert-manager #名称空间
spec:
secretName: ssl #证书名称
issuerRef:
name: letsencrypt-prod #指定ISSUER
kind: ClusterIssuer
duration: 2160h
renewBefore: 360h
dnsNames:
- www.demo.cn
- app.demo.cn
检查,证书是否申请成功
[root@ops-k8s-master01 ssl]# kubectl get secret -n cert-manager
NAME TYPE DATA AGE
cert-manager-cainjector-token-kdwd6 kubernetes.io/service-account-token 3 30d
cert-manager-token-x6tgq kubernetes.io/service-account-token 3 30d
cert-manager-webhook-ca Opaque 3 30d
cert-manager-webhook-token-4bpwg kubernetes.io/service-account-token 3 30d
default-token-p97fb kubernetes.io/service-account-token 3 30d
letsencrypt-prod Opaque 1 30d
sandbox-2qd8j Opaque 1 28d
ssl kubernetes.io/tls 2 28d
查看secret信息
[root@ops-k8s-master01 ssl]# kubectl describe secret ssl -n cert-manager
Name: ssl
Namespace: cert-manager
Labels: kubed.appscode.com/origin.cluster=opstest
kubed.appscode.com/origin.name=ssl
kubed.appscode.com/origin.namespace=cmc
Annotations: cert-manager.io/alt-names:
api.opstest.chinamcloud.cn,cloud.opstest.chinamcloud.cn,console.opstest.chinamcloud.cn,dashaboard.opstest.chinamcloud.cn,image.opstest.chi...
cert-manager.io/certificate-name: ssl
cert-manager.io/common-name: login.opstest.chinamcloud.cn
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-prod
cert-manager.io/uri-sans:
kubed.appscode.com/origin: {"namespace":"cmc","name":"ssl","uid":"4140a0e6-fd8f-4b17-b72e-9a2983c33b58","resourceVersion":"49211748"}
Type: kubernetes.io/tls
Data
====
tls.crt: 5932 bytes
tls.key: 1679 bytes
目前证书只能在cert-manager名称空间下使用,我们需要再部署一个kubed/config-syncer同步服务,将cert-manager名称空间下的ssl证书同步到其他名称空间。
三、部署kubed服务
参考:Syncing Secrets Across Namespaces
gitlab地址:https://github.com/kubeops/config-syncer
官网部署文档:appscode
3.1、部署kubed服务
$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update
$ helm search repo appscode/kubed --version v0.12.0
NAME CHART VERSION APP VERSION DESCRIPTION
appscode/kubed v0.12.0 v0.12.0 Kubed by AppsCode - Kubernetes daemon
$ helm install kubed appscode/kubed \
--version v0.12.0 \
--namespace kube-system
检查容器是否正常部署
[root@ops-k8s-master01 ssl]# kubectl get pod -o wide -A |grep kubed
kubed config-sync-kubed-57d7b5548b-l6klq 1/1 Running 0 28d 10.42.2.80 ops-k8s-node02
3.2、创建同步证书服务
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ssl
namespace: cert-manager
spec:
secretName: ssl
commonName: ssl
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
secretTemplate:
annotations:
#kubed.appscode.com/sync: "cert-manager-tls=appfactory,crms"
kubed.appscode.com/sync: "" #同步到所有名称空间
检查证书是否同步到所有名称空间
[root@ops-k8s-master01 ssl]# kubectl get secret -A |grep ssl
aims ssl kubernetes.io/tls 2 28d
appfactory ssl kubernetes.io/tls 2 28d
base ssl kubernetes.io/tls 2 28d
bigdata ssl kubernetes.io/tls 2 28d
cattle-fleet-system ssl kubernetes.io/tls 2 28d
cattle-impersonation-system ssl kubernetes.io/tls 2 28d
cattle-system ssl kubernetes.io/tls 2 28d
cert-manager ssl kubernetes.io/tls 2 28d
cim ssl kubernetes.io/tls 2 28d
cmc ssl kubernetes.io/tls 2 28d
cmini ssl kubernetes.io/tls 2 28d
cms ssl kubernetes.io/tls 2 28d
content ssl kubernetes.io/tls 2 28d
后续可以通过浏览器验证,访问域名看证书是否正常。