k8s-证书管理之cert-manager自动生成证书
k8s集群安全设置:
Kubernetes提供了基于CA签名的双向数字证书认证方式和简单的基于HTTP Base或Token的认证方式,其中CA证书方式的安全性最高。
原理:
cert-manager 是一种自动执行证书管理的工具
官网:https://cert-manager.io/
案例:https://article.itxueyuan.com/mxvrwG
ingress:https://cert-manager.io/docs/tutorials/acme/nginx-ingress/
cert-manager是基于ACME协议与Let's Encrypt来签发免费证书并自动续期,实现永久免费使用证书。
ACME:自动证书管理环境,Let's Encrypt:ssl证书免费签发机构。
cert-manager实现了ACME协议,通过http或dns方式来检证域名是否归执行人所有,如是则由Let's Encrypt签发证书并保存于secret中。
以下只针对自签证书进行测试:
1、安装cert-manager:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm pull jetstack/cert-manager --untar
helm install cert-manager ./cert-manager --namespace cert-manager --create-namespace --version v1.10.1 --set installCRDs=true2、创建自签CA,issuer-selfsign.yaml:
#创建自签的clusterissuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
#生成证书
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: cert-manager
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
#生成以这个证书做为CA的clusterissuer,其他证书由这个CA签发
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: my-ca-issuer
spec:
ca:
secretName: root-secret说明:
issuer与clusterissuer两个签发资源,issuer只能在同一命名空间内签发证书,clusterissuer可以在所有命名空间内签发证书。如果是issuer,则证书secret所属的namspace应与issuer一致;如果是clusterissuer,则证书所属的namespace应与cert-manager安装的namespace一致。
上面用的是cert-manager的自签证书做为CA,也可以自已定义个CA放在secret里,然后做为clusterissuer来进行后续的签发。
应用后使用如下命令查看clusterissuer与certificate:
kubectl get clusterissuer
kubectl get certificate -A
状态READY为true说明签发正常,否则可以使用describe查看错误原因。
3、建立个deployment和svc,nginx-test.yaml:
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx-test
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
selector:
app: nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 804、新建ingress,ingress-nginx.yaml:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nginx-test
annotations:
cert-manager.io/cluster-issuer: my-ca-issuer
spec:
tls:
- hosts:
- xxx.tempdomain.com
secretName: xxx-tls
rules:
- host: xxx.tempdomain.com
http:
paths:
- path:
backend:
serviceName: nginx-test
servicePort: 80在注解中定义cert-manager.io/cluster-issuer,并指定clusterissuer的名称;
如为issuer则使用cert-manager.io/issuer注解。spec.tls.hosts.secretName定义secret的名称,自动签发的证书会写在这个secret里。
应用后,会发现新生成secret
kubectl get secret -n ns
浏览器访问https,查看证书:查看有效期
5、也可以手工签发certificate,ingress直接使用这个secret(关闭注解),certificate.yaml:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: xxx-tls
namespace: default
spec:
dnsNames:
- xxx.tempdomain.com
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: my-ca-issuer
secretName: xxx-tls
duration: 87600h #10年
usages:
- digital signature
- key encipherment具体参数:https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
6、删除
先将所有cert-manager生成的资源删除,查看资源情况如下:
kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces
然后执行helm反安装:
helm delete cert-manager --namespace cert-manager
最后删除CDR:
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.crds.yaml