「Kubernetes」- 部署 cert-manager 组件 | v1.15

我们使用 Certbot 工具向 Let’s Encrypt 免费申请并自动续期证书。在 Kubernetes Cluster 中,我们使用 cert-manager 组件来实现;

该笔记将记录:在 Kubernetes Cluster 中,部署 cert-manager 组件,并用其来申请证书的方法,以及相关问题处理;

环境信息

Kuberntes Cluster v1.21
kubectl 1.20.15
cert-manager v1.8.2

解决方案

参考 cert-manager/Installation 文档,官方提供多种安装方法:
1)官方建议 cmctl 插件来安装,但是我们采用 HELM + CRD 的方式进行部署;

参考 Supported Releases 文档,查看不同版本对集群的支持情况:
1)cert-manger 1.8,该版本支持 Kuberntes Cluster v1.21 集群

第一步、安装 cert-manager 组件

服务部署

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm pull jetstack/cert-manager --version x.x.x

helm show values ./cert-manager-x.x.x.tgz > cert-manager-x.x.x.helm-values.yaml
# crds.enabled: true

helm upgrade --install --namespace cert-manager --create-namespace \
    cert-manager ./cert-manager-v1.15.2.tgz -f cert-manager-v1.15.2.tgz.helm-values.yaml

颁证测试

检查服务运行正常(该部分演示手动测试的方法):
1)创建 Issuer 资源;
2)创建 Certificate 资源;

演示创建自签证书的步骤:

# cat <<EOF > test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: test-selfsigned
  namespace: cert-manager-test
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: selfsigned-cert
  namespace: cert-manager-test
spec:
  dnsNames:
    - example.com
  secretName: selfsigned-cert-tls
  issuerRef:
    name: test-selfsigned
EOF

# kubectl apply -f test-resources.yaml
...

# kubectl describe certificate -n cert-manager-test
...
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    20s   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  20s   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "selfsigned-cert-g866q"
  Normal  Requested  20s   cert-manager-certificates-request-manager  Created new CertificateRequest resource "selfsigned-cert-6d85c"
  Normal  Issuing    20s   cert-manager-certificates-issuing          The certificate has been successfully issued

# kubectl delete -f test-resources.yaml
...

第二步、申请 Let’s Encrypt 证书

前面步骤演示如何部署 cert-manager 组件,并成功地完成申请自签名证书的办法,但这并不是我们的实际应用场景;

我们希望通过 cert-manager 组件,在集群内完成 Let’s Encrypt 证书申请和管理;

DNS-01

参考 Solutions to Scenarios (04):Request Certificate (alidns) 笔记,获取该问题的解决方案;

HTTP-01

HTTP01 – cert-manager Documentation

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-account-key
    solvers:
    - http01:
        ingress:
          class: nginx

在 ACK 中,鉴于集群网络特性,需要修改 nginx-ingress-lb 这个 svc 的 internalTrafficPolicy 改成 Cluster,否则 Order 的 selftest 将失败;

参考文献

cert-manager/Installation/Verifying/Manual verification
How to check TLS Cert Expiration Date
Kubernetes | cert-manager

Filed under: K4NZDROID - @ 5:52 PM