ThinkChat2.0新版上线,更智能更精彩,支持会话、画图、阅读、搜索等,送10W Token,即刻开启你的AI之旅 广告
[TOC] 配置颁发者后,您就可以颁发证书了! 通过 cert-manager 请求证书有多种用例和方法: - Certificate Resources: 请求签名证书的最简单且最常见的方法。 - Securing Ingress Resources: 一种保护集群中入口资源的方法。 - Securing OpenFaaS functions: 使用 cert-manager 保护您的 OpenFaaS 服务。 - Integration with Garden: Garden 是一个用于开发 Kubernetes 应用程序的开发人员工具,它对集成证书管理器具有一流的支持。 - Securing Knative: 使用受信任的 HTTPS 证书保护您的 Knative 服务。 - Enable mTLS on Pods with CSI: 使用 cert-manager CSI 驱动程序提供共享 Pod 生命周期的唯一密钥和证书。 - Securing Istio Gateway: 使用 cert-manager 保护 Kubernetes 中的 Istio 网关。 - Securing Istio Service Mesh: 使用 cert-manager Istio 集成,通过 cert-manager 托管证书保护每个 pod 的 mTLS PKI。 - Policy for cert-manager certificates: 通过自定义资源定义的策略管理可以签署或拒绝哪些证书管理器证书。 这里只有示例两种方法,分别是 `Certificate Resources`, `Ingress Resources` 方法 # Certificate Resources 1. 创建证书 ```shell cat <<'EOF' | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-dns-cert namespace: default spec: # secret名称 secretName: test-dns-cert # X509v3 主题名称 commonName: ecloud.com subject: countries: - CN provinces: - GuangDong localities: - GuangZhou organizations: - k8s # 私钥配置 privateKey: rotationPolicy: Always algorithm: ECDSA encoding: PKCS8 size: 256 usages: - server auth - client auth # 证书有效期 # 默认是90天,证书轮换规则有效期的 2/3 或到期前的 renewBefore 期间进行续订, 以较晚者为准 duration: 8760h # 365d renewBefore: 4320h # 180d # X509v3 主题备用名称 dnsNames: - "*.ecloud.com" ipAddresses: - "127.0.0.1" # 指定issuer名称 issuerRef: name: ca-cluster-issuer kind: ClusterIssuer EOF ``` 2. 查看证书 >[info] 观察 `Issuer`、`Validity`、`Subject` 以及 `X509v3 Subject Alternative Name` 字段 ```shell $ kubectl get secret test-dns-cert -ojsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 41:b7:a7:ed:c6:8d:01:98:71:59:c9:6c:7d:10:eb:b8 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ecloud-ca Validity Not Before: Sep 8 07:57:28 2023 GMT Not After : Sep 7 07:57:28 2024 GMT Subject: C=CN, ST=GuangDong, L=GuangZhou, O=k8s, CN=ecloud.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:6b:b8:e9:ae:c2:5b:91:ce:54:0a:c6:d6:b6:8e: 9c:d3:68:f8:be:a4:31:9a:61:44:38:dd:50:5d:33: a5:4f:09:d7:74:d5:83:f6:1f:14:27:cc:59:6d:1b: 8d:b9:1c:48:18:0b:a6:ed:c8:5b:79:79:94:42:db: 67:aa:2c:9d:cf ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:EB:6B:58:6F:39:FB:8E:12:83:35:3D:6C:27:16:C3:EF:D6:88:81:51 X509v3 Subject Alternative Name: DNS:*.ecloud.com, IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption 08:a8:f2:36:4a:7b:6c:3b:58:f0:d3:e4:b7:4c:e1:cf:58:98: ee:74:af:a6:51:50:d5:02:ab:17:9a:8e:bf:bf:e8:76:95:17: 83:07:72:45:19:6f:59:f4:35:c4:ca:b4:b7:a2:96:d6:58:21: 25:32:45:5b:96:08:93:94:82:33:a9:c6:cb:8f:61:0d:db:d2: c4:17:a5:3c:cd:f1:6b:d3:15:28:92:9f:92:b6:0e:aa:3e:5d: 78:80:74:97:f5:17:0c:3d:96:17:73:7f:7d:8d:f0:82:ff:0f: b8:49:48:b1:be:01:9b:21:84:58:cc:92:1c:74:33:5c:7f:1b: 95:88:96:88:03:71:c9:fe:bf:d8:c7:37:37:83:83:45:8f:32: ba:fb:93:3f:7e:0d:ed:66:11:d2:9e:36:97:b1:f2:9d:91:51: 73:1c:3a:5e:19:2e:da:4d:25:f1:4a:0a:ac:88:26:18:60:65: 0d:21:3a:51:ba:81:8e:46:c9:90:04:96:44:04:76:20:f5:df: 1f:9a:f7:ac:9b:bb:99:5a:7a:5d:65:f0:ce:89:47:01:74:45: 47:23:8a:de:f0:70:ac:e5:2c:bf:23:56:27:f0:d7:41:6d:6e: 19:fb:d9:a4:b6:dd:f0:bc:03:7a:1e:9f:17:11:6a:60:49:cf: da:e8:fe:9d ``` 3. 清理环境 >[info] 删除ingress会自动删除certificates,但不会清理secret的证书 ```shell $ kubectl delete certs test-dns-cert $ kubectl delete secret test-dns-cert ``` # Ingress Resources 1. 创建ingress,触发创建certificates >[info] ingress可用注解请查看 [cert-manager官方文档](https://cert-manager.io/docs/usage/ingress/#supported-annotations) ```shell cat <<'EOF' | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer" cert-manager.io/common-name: "nginx" cert-manager.io/subject-organizations: "k8s" cert-manager.io/duration: "8760h" cert-manager.io/renew-before: "4320h" name: nginx-test spec: rules: - host: nginx.ecloud.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - hosts: - nginx.ecloud.com secretName: test-nginx-cert EOF ``` 2. 查看证书 >[info] 观察 `Issuer`、`Validity`、`Subject` 以及 `X509v3 Subject Alternative Name` 字段 ```shell $ kubectl get secret test-nginx-cert -ojsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 9c:3a:74:c9:04:c8:dd:8e:ff:e8:fe:52:71:75:65:f8 Signature Algorithm: sha256WithRSAEncryption Issuer: O=k8s, CN=nginx Validity Not Before: Sep 8 08:18:08 2023 GMT Not After : Sep 7 08:18:08 2024 GMT Subject: O=k8s, CN=nginx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:c0:fa:4c:d3:14:61:99:14:49:41:5d:2d:6b: b9:15:bd:99:8a:fe:ab:05:50:00:a0:0f:a2:b7:f6: 4b:9a:91:70:05:c4:21:3b:eb:3f:ec:57:06:bd:7f: 52:df:c9:1a:6a:23:b3:d3:7d:c4:a0:36:ea:b3:11: 11:28:3f:29:fc:fb:5a:7e:32:40:a6:79:8b:bb:15: ea:91:98:f2:6d:76:04:c1:48:bf:cb:f9:46:72:64: a4:e1:cb:ea:49:f9:df:af:8d:12:ff:02:d7:af:29: c9:76:c9:6c:78:3a:1b:34:d3:15:f1:51:d7:99:86: 39:4e:b3:b4:06:9b:d0:2f:98:00:e1:76:3a:2f:e4: 02:45:1e:c3:9a:d8:a9:34:a6:d3:88:1d:05:21:a1: 68:24:13:f6:42:1f:66:a6:a1:d8:96:f6:ed:8b:e4: de:04:16:e5:19:ac:98:6f:5e:7a:64:3d:6a:70:d5: f7:9e:d3:df:4e:32:06:c9:a2:23:e1:a3:5f:4f:77: 10:20:f3:f2:db:54:46:54:89:42:7f:79:7d:69:46: 76:b8:07:a6:5b:9b:76:d8:d7:7f:0b:35:1a:d5:08: c3:7b:3b:db:2a:23:4f:ea:75:4a:43:3c:83:59:6f: 0c:1c:ff:fa:cc:b7:d6:25:c6:5b:bb:4b:cd:d0:23: 1d:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: DNS:nginx.ecloud.com Signature Algorithm: sha256WithRSAEncryption 76:64:39:98:c2:44:44:8d:32:7a:e5:84:27:14:cc:58:32:39: 30:39:d1:8e:29:05:65:15:99:6e:79:56:18:f5:57:1a:6a:32: f4:09:87:b0:39:e2:8a:87:10:84:c3:ee:89:b8:75:a8:c9:33: 8b:8d:55:a4:c8:8a:8b:65:82:a9:33:b2:ba:a0:50:d6:17:05: 6f:28:67:bc:61:3e:47:7f:29:fd:98:74:13:20:9c:44:b1:30: 9e:f2:36:e7:17:9f:3e:a9:29:d5:d1:c4:f4:46:2a:d6:1c:d9: 6a:5e:cf:c0:5f:04:49:fa:95:a0:40:52:06:af:8b:55:41:0a: fc:0e:57:b6:2d:77:27:8e:79:af:25:66:a3:0f:e6:df:da:96: 6f:77:41:3d:cc:47:49:73:7a:65:5b:4c:2a:19:09:23:b0:53: 99:00:1c:3b:08:ab:55:5e:37:5f:8b:a6:dc:ca:8b:53:3f:b8: fe:2d:7e:87:e4:41:e4:d8:28:e3:fa:34:78:41:56:04:15:c6: f7:2d:00:14:2c:ef:f2:a8:7c:25:04:66:ca:b7:4f:f4:2b:fc: d2:1e:be:dd:67:bd:7e:5e:c2:b6:ae:74:1a:78:fd:30:8b:2c: a6:55:1e:8c:da:c5:71:34:fa:a9:8d:f1:b8:75:b1:54:c5:18: 6e:b3:94:4a ``` 3. 清理环境 >[info] 删除ingress会自动删除certificates,但不会清理secret的证书 ```shell $ kubectl delete ingress nginx-test $ kubectl delete secret test-nginx-cert ```