27 Dec 2021 cert-manager签发证书

创建自签名证书的ca

ca的创建参考:<使用cfssl创建自签名证书>

代码语言:javascript
复制
kubectl create secret tls ca-key --cert=ca.pem --key=ca-key.pem --namespace=cert-manager

创建clusterissuer

代码语言:javascript
复制
# cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ssli-cluster-issuer
spec:
  ca:
    secretName: ca-key
EOF
# k get clusterissuers.cert-manager.io
NAME                  READY   AGE
ssli-cluster-issuer   True    6s

创建certificate

这里需要指定clusterissuer和生成证书的secret名字,创建certificate:

代码语言:javascript
复制
# cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ssli-com
spec:
  dnsNames:
  - www.ssli.com
  issuerRef:
    kind: ClusterIssuer
    name: ssli-cluster-issuer
  secretName: ssli-cert
EOF
# k get certificate
NAME       READY   SECRET      AGE
ssli-com   True    ssli-cert   9s

创建成功后,证书会保存到指定的secret,如下:

代码语言:javascript
复制
# k get secret ssli-cert
NAME        TYPE                DATA   AGE
ssli-cert   kubernetes.io/tls   3      26s

在ingress中使用该证书

创建一个nginx deployment并修改了默认页面 /usr/share/nginx/html/index.htmlhello nginx,在ingress中使用创建的证书:

代码语言:javascript
复制
# k create deployment nginx --image=nginx
# k exec nginx-6799fc88d8-nbs4h -- sh -c "echo hello nginx > /usr/share/nginx/html/index.html"
# kubectl expose deployment nginx --port=80 --name=nginx
service/nginx exposed
# k get svc
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP   41h
nginx        ClusterIP   10.102.140.200   <none>        80/TCP    16s
# curl 10.102.140.200
hello nginx
# cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
      - www.ssli.com
    secretName: ssli-cert
  rules:
  - host: www.ssli.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              number: 80
EOF
# curl -k https://www.ssli.com
hello nginx

或者在ingress中指定相应的clusterissuer,ingress会自动签发证书并使用,如下:

代码语言:javascript
复制
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "ssli-cluster-issuer"
spec:
  tls:
  - hosts:
      - www.ssli.com
    secretName: auto-ssli-cert
  rules:
  - host: www.ssli.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              number: 80
EOF
# k get secret auto-ssli-cert
NAME             TYPE                DATA   AGE
auto-ssli-cert   kubernetes.io/tls   3      38s
# curl -k https://www.ssli.com
hello nginx

可以看到自动生成了证书secret,并且服务也正常。

创建selfSigned类型的issuer

代码语言:javascript
复制
$ cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ssli-selfsigned
spec:
  selfSigned: {}
EOF
# cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "ssli-selfsigned"
spec:
  tls:
  - hosts:
      - www.ssli.com
    secretName: selfsigned-ssli-cert
  rules:
  - host: www.ssli.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              number: 80
EOF
# k get secret selfsigned-ssli-cert-s7s78
NAME                         TYPE     DATA   AGE
selfsigned-ssli-cert-s7s78   Opaque   1      19s
# curl -k https://www.ssli.com
hello nginx
# curl -kv https://www.ssli.com

...

  • Server certificate:
  • subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
  • start date: Dec 26 09:16:01 2021 GMT
  • expire date: Dec 26 09:16:01 2022 GMT
  • issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
  • SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

...

可以看到ingress使用了ingress controller自签名的证书。


LEo at 00:12