k8s1.18.20通过cert-manager、kubed实现三个月免费证书自动续签

k8s1.18.20通过cert-manager、kubed实现三个月免费证书自动续签

一、cert-manager部署

参考:k8s1.18.20:cert-manager 1.8 安装部署

二、申请免费证书-letsencrypt

2.1、创建ClusterIssuer

向letsencrypt申请三个月免费证书

[root@k8s-node ~]# cat clusterissuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    #server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

2.2、以HTTP-01方式申请域名证书

[root@k8s-node ~]# cat  ssl.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ssl   #证书名称
  namespace: cert-manager  #名称空间
spec:
  secretName: ssl   #证书名称
  issuerRef:
    name: letsencrypt-prod   #指定ISSUER
    kind: ClusterIssuer
  duration: 2160h
  renewBefore: 360h
  dnsNames:
  - www.demo.cn
  - app.demo.cn

检查,证书是否申请成功

[root@ops-k8s-master01 ssl]# kubectl get secret -n cert-manager
NAME                                  TYPE                                  DATA   AGE
cert-manager-cainjector-token-kdwd6   kubernetes.io/service-account-token   3      30d
cert-manager-token-x6tgq              kubernetes.io/service-account-token   3      30d
cert-manager-webhook-ca               Opaque                                3      30d
cert-manager-webhook-token-4bpwg      kubernetes.io/service-account-token   3      30d
default-token-p97fb                   kubernetes.io/service-account-token   3      30d
letsencrypt-prod                      Opaque                                1      30d
sandbox-2qd8j                         Opaque                                1      28d
ssl                                   kubernetes.io/tls                     2      28d

查看secret信息

[root@ops-k8s-master01 ssl]# kubectl describe secret ssl -n cert-manager
Name:         ssl
Namespace:    cert-manager
Labels:       kubed.appscode.com/origin.cluster=opstest
              kubed.appscode.com/origin.name=ssl
              kubed.appscode.com/origin.namespace=cmc
Annotations:  cert-manager.io/alt-names:
                api.opstest.chinamcloud.cn,cloud.opstest.chinamcloud.cn,console.opstest.chinamcloud.cn,dashaboard.opstest.chinamcloud.cn,image.opstest.chi...
              cert-manager.io/certificate-name: ssl
              cert-manager.io/common-name: login.opstest.chinamcloud.cn
              cert-manager.io/ip-sans: 
              cert-manager.io/issuer-group: cert-manager.io
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: letsencrypt-prod
              cert-manager.io/uri-sans: 
              kubed.appscode.com/origin: {"namespace":"cmc","name":"ssl","uid":"4140a0e6-fd8f-4b17-b72e-9a2983c33b58","resourceVersion":"49211748"}

Type:  kubernetes.io/tls

Data
====
tls.crt:  5932 bytes
tls.key:  1679 bytes

目前证书只能在cert-manager名称空间下使用,我们需要再部署一个kubed/config-syncer同步服务,将cert-manager名称空间下的ssl证书同步到其他名称空间。

三、部署kubed服务

参考:Syncing Secrets Across Namespaces
gitlab地址:https://github.com/kubeops/config-syncer
官网部署文档:appscode

3.1、部署kubed服务

$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update
$ helm search repo appscode/kubed --version v0.12.0
NAME            CHART VERSION APP VERSION DESCRIPTION
appscode/kubed  v0.12.0    v0.12.0  Kubed by AppsCode - Kubernetes daemon

$ helm install kubed appscode/kubed \
  --version v0.12.0 \
  --namespace kube-system

检查容器是否正常部署

[root@ops-k8s-master01 ssl]# kubectl get pod -o wide -A |grep kubed
kubed           config-sync-kubed-57d7b5548b-l6klq          1/1     Running            0          28d     10.42.2.80      ops-k8s-node02                

3.2、创建同步证书服务

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ssl
  namespace: cert-manager
spec:
  secretName: ssl
  commonName: ssl
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io
  secretTemplate:
    annotations:
      #kubed.appscode.com/sync: "cert-manager-tls=appfactory,crms"
      kubed.appscode.com/sync: ""   #同步到所有名称空间

检查证书是否同步到所有名称空间

[root@ops-k8s-master01 ssl]# kubectl get secret -A |grep ssl
aims                          ssl                                              kubernetes.io/tls                     2      28d
appfactory                    ssl                                              kubernetes.io/tls                     2      28d
base                          ssl                                              kubernetes.io/tls                     2      28d
bigdata                       ssl                                              kubernetes.io/tls                     2      28d
cattle-fleet-system           ssl                                              kubernetes.io/tls                     2      28d
cattle-impersonation-system   ssl                                              kubernetes.io/tls                     2      28d
cattle-system                 ssl                                              kubernetes.io/tls                     2      28d
cert-manager                  ssl                                              kubernetes.io/tls                     2      28d
cim                           ssl                                              kubernetes.io/tls                     2      28d
cmc                           ssl                                              kubernetes.io/tls                     2      28d
cmini                         ssl                                              kubernetes.io/tls                     2      28d
cms                           ssl                                              kubernetes.io/tls                     2      28d
content                       ssl                                              kubernetes.io/tls                     2      28d

后续可以通过浏览器验证,访问域名看证书是否正常。

你可能感兴趣的:(k8s,kubernetes,容器,云原生)