Kubernetes 1.30 / cert-manager 1.17
该笔记将记录:在 Kubernetes Cluster 中,部署 cert-manager 组件,以及相关问题解决办法;
补充说明
- 作为系列部署资源,cert-manager 运行在 Kubernetes Cluster 中,并利用 CRD 来配置 CA 并请求证书;
- 部署方式:我们使用官方文档中推荐的 Helm Chart 方式,不再使用原始的 YAML 清单文件;
- 在部署 cert-manager 组件之后,需要创建代表 CA 的 Issuer 或 ClusterIssuer 资源;
- 在集群中,部署多个 cert-manager 实例会出现意外行为(以前 v1.3 文档提到过,该版本不清楚是否存在该限制);
部署 cert-manager 组件
安装组件:
helm repo add jetstack https://charts.jetstack.io
helm repo update jetstack
helm search repo jetstack/cert-manager | grep 1.17
helm pull jetstack/cert-manager --version v1.17.1
helm show values ./cert-manager-x.x.x.tgz > cert-manager-x.x.x.tgz.helm-values.yaml
vim cert-manager-x.x.x.tgz.helm-values.yaml
... installCRDs: true
... Image Repository and Image Tag
helm upgrade --install --namespace cert-manager --create-namespace \
cert-manager ./cert-manager-x.x.x.tgz -f cert-manager-x.x.x.helm-values.yaml
验证安装:
# cmctl check api --wait=2m The cert-manager API is ready # kubectl get pods --namespace cert-manager NAME READY STATUS RESTARTS AGE cert-manager-69c97bc646-zh7sf 1/1 Running 0 34m cert-manager-cainjector-77cc778cc8-rfxgq 1/1 Running 0 34m cert-manager-startupapicheck-x7tm5 0/1 Completed 0 34m cert-manager-webhook-6b8f8c55f4-7d8gk 1/1 Running 0 34m
签发测试:通过创建自签名证书,并检查证书是否能够自动签发(参考 Verifying the Installation 文档,以获取具体细节)我们有使用手工方式来验证(我们通过文档中提到的社区工具来验证,但是失败):
cat > test-resources.yaml <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
dnsNames:
- example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF
kubectl apply -f test-resources.yaml
kubectl describe -n cert-manager-test certificates | grep -E '^Status:' -A 11
kubectl delete -f test-resources.yaml
Kubernetes 1.28 / cert-manager 1.15
cert-manager/Installation/Verifying/Manual verification
How to check TLS Cert Expiration Date
Kubernetes | cert-manager
环境信息
Kuberntes Cluster v1.21
kubectl 1.20.15
cert-manager v1.8.2
解决方案
参考 cert-manager/Installation 文档,官方提供多种安装方法:
1)官方建议 cmctl 插件来安装,但是我们采用 HELM + CRD 的方式进行部署;
参考 Supported Releases 文档,查看不同版本对集群的支持情况:
1)cert-manger 1.8,该版本支持 Kuberntes Cluster v1.21 集群
服务部署 | 安装 cert-manager 组件
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm pull jetstack/cert-manager --version x.x.x
helm show values ./cert-manager-x.x.x.tgz > cert-manager-x.x.x.helm-values.yaml
# crds.enabled: true
helm upgrade --install --namespace cert-manager --create-namespace \
cert-manager ./cert-manager-v1.15.2.tgz -f cert-manager-v1.15.2.tgz.helm-values.yaml
颁证测试
检查服务运行正常(该部分演示手动测试的方法):
1)创建 Issuer 资源;
2)创建 Certificate 资源;
演示创建自签证书的步骤:
# cat <<EOF > test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
dnsNames:
- example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF
# kubectl apply -f test-resources.yaml
...
# kubectl describe certificate -n cert-manager-test
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 20s cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 20s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "selfsigned-cert-g866q"
Normal Requested 20s cert-manager-certificates-request-manager Created new CertificateRequest resource "selfsigned-cert-6d85c"
Normal Issuing 20s cert-manager-certificates-issuing The certificate has been successfully issued
# kubectl delete -f test-resources.yaml
...