Helm安装cert-manager自动化 HTTPS
查看支持版本
地址 https://cert-manager.io/docs/installation/supported-releases/
现在我安装的是最新版1.8,k8s集群是1.23.6,部署直接从二.开始看
一. 老版本v0.12.0(不推荐,好久没用这个版本了)
注意:
- 当前我的集群是
1.15.3,超过v1.15.4按下面参考地址查找最新部署方式- 集群必须已经装有
Ingress Controller,参考https://blog.csdn.net/qq_38983728/article/details/100902607- 外部客户端配置
hosts,IP 指向Ingress Controller对外暴露的地址(如果IP是公网地址并做了域名解析,则无需配置)
1.1 安装CustomResourceDefinition资源
[root@master ~]# mkdir -p ~/i/master/cert-manager/ && cd ~/i/master/cert-manager/
[root@master cert-manager]# wget https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
[root@master cert-manager]# kubectl apply --validate=false -f 00-crds.yaml
1.2 创建cert-manager名称空间
[root@master cert-manager]# kubectl create namespace cert-manager
1.3 添加Jetstack Helm存储库
[root@master cert-manager]# helm repo add jetstack https://charts.jetstack.io
如果已经存在,更新您的本地Helm图表存储库缓存
[root@master cert-manager]# helm repo update
1.4 安装证书管理器Helm图表
[root@master cert-manager]# helm install \
--name cert-manager \
--namespace cert-manager \
--set image.repository=registry.cn-shanghai.aliyuncs.com/wanfei/cert-manager-controller \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuer \
--version v0.12.0 \
jetstack/cert-manager
如果是helm3
helm install \
--name-template cert-manager \
--namespace cert-manager \
--set image.repository=registry.cn-shanghai.aliyuncs.com/wanfei/cert-manager-controller \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuer \
--version v0.12.0 \
jetstack/cert-manager
--set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer:用于全自动TLS,在ingress.yaml中配置kubernetes.io/tls-acme: "true"后会自动创建证书- 镜像
quay.io/jetstack/cert-manager-webhook:v0.12.0下载很慢,可以使用阿里云的镜像
1.5 验证安装
一旦安装了cert-manager,您可以通过检查cert-manager运行Pod 的名称空间来验证它是否已正确部署:
[root@master cert-manager]# kubectl get pods --namespace cert-manager -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cert-manager-8d4ccddb9-fxmfd 1/1 Running 0 5m35s 192.168.219.115 master <none> <none>
cert-manager-cainjector-df4dc78cd-bbctw 1/1 Running 0 5m35s 192.168.104.23 node2 <none> <none>
cert-manager-webhook-5f78ff89bc-m95qd 1/1 Running 0 5m35s 192.168.219.116 master <none> <none>
[root@master cert-manager]# docker images
您应该看到cert-manager,cert-manager-cainjector和 cert-manager-webhook都是Running状态。设置网络挂钩所需的TLS资产可能需要一分钟左右的时间。这可能会导致Webhook首次启动需要比其他Pod更长的时间。如果您遇到问题,请查看FAQ指南。
以下步骤将确认正确设置了证书管理器并能够颁发基本证书类型。
创建一个ClusterIssuer以测试Webhook正常工作。
[root@master cert-manager]# cat <<EOF > test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
commonName: example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF
创建测试资源
[root@master cert-manager]# kubectl apply -f test-resources.yaml
检查新创建证书的状态。您可能需要等待几秒钟,然后cert-manager才能处理证书请求。
[root@master cert-manager]# kubectl describe certificate.cert-manager.io -n cert-manager-test
Name: selfsigned-cert
Namespace: cert-manager-test
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"cert-manager.io/v1alpha2","kind":"Certificate","metadata":{"annotations":{},"name":"selfsigned-cert","namespace":"cert-mana...
API Version: cert-manager.io/v1alpha2
Kind: Certificate
Metadata:
Creation Timestamp: 2019-12-11T08:23:18Z
Generation: 1
Resource Version: 2363190
Self Link: /apis/cert-manager.io/v1alpha2/namespaces/cert-manager-test/certificates/selfsigned-cert
UID: 0c152ff9-184e-4b8f-9fe7-fc4fb4b2d86f
Spec:
Common Name: example.com
Issuer Ref:
Name: test-selfsigned
Secret Name: selfsigned-cert-tls
Status:
Conditions:
Last Transition Time: 2019-12-11T08:23:18Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2020-03-10T08:23:18Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 10s cert-manager Generated a new private key
Normal Requested 10s cert-manager Created new CertificateRequest resource "selfsigned-cert-2334779822"
Normal Issued 10s cert-manager Certificate issued successfully
清理测试资源。
[root@master cert-manager]# kubectl delete -f test-resources.yaml
如果以上所有步骤均已正确完成,则一切顺利!
1.6 创建签发机构
[root@master cert-manager]# cat <<EOF> production-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
EOF
# 运行
[root@master cert-manager]# kubectl create -f production-issuer.yaml
metadata.name是我们创建的签发机构的名称,后面我们创建证书的时候会引用它spec.acme.email是你自己的邮箱,证书快过期的时候会有邮件提醒,不过 cert-manager 会利用 acme 协议自动给我们重新颁发证书来续期spec.acme.server是 acme 协议的服务端,我们这里用 Let’s Encrypt,这个地址就写死成这样就行spec.acme.privateKeySecretRef指示此签发机构的私钥将要存储到哪个 Secret 对象中,名称不重要spec.acme.http01这里指示签发机构使用 HTTP-01 的方式进行 acme 协议 (还可以用 DNS 方式,acme 协议的目的是证明这台机器和域名都是属于你的,然后才准许给你颁发证书)
[root@master cert-manager]# kubectl get clusterissuer.cert-manager.io
NAME READY AGE
letsencrypt-prod True 3m46s
1.7 创建证书资源(因为使用了自动TLS生成证书,这一步忽略)
[root@master cert-manager]# cat <<EOF> cert.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: wanfei-wang
namespace: cert-manager
spec:
secretName: wanfei-wang-tls
keyEncoding: pkcs1
# At least one of a DNS Name, USI SAN, or IP address is required.
dnsNames:
- minio.wanfei.wang
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
EOF
参数列表信息介绍查看 https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1alpha2.CertificateSpec
创建
[root@master cert-manager]# kubectl apply -f cert.yaml
[root@master cert-manager]# kubectl get certificate.cert-manager.io -n cert-manager
NAME READY SECRET AGE
wanfei-wang True wanfei-wang-tls 3m15
1.8 实际测试
上面我们已经安装了Cert manager,定义了ClusterIssuer,接下来我们来配置 HTTPS 去访问我们的 Kubernetes Dashboard 的服务
#1.2 里面kubernetes.io/tls-acme: 'true'自动创建证书 https://blog.csdn.net/qq_38983728/article/details/103503900
参考 https://cert-manager.io/docs/installation/kubernetes/
二. 安装新版本v1.8.0(推荐)
2.1 添加repo
helm repo add jetstack https://charts.jetstack.io
helm repo update
2.2 安装
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuer \
--set ingressShim.defaultIssuerGroup=cert-manager.io \
--set installCRDs=true \
--version v1.8.0
2.3 查看
[root@master cert-manager]# kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-766cc8b894-bx7lk 1/1 Running 0 3m1s
cert-manager-cainjector-5c55bb7cb4-d74b7 1/1 Running 0 3m1s
cert-manager-webhook-556f979d7f-skp7c 1/1 Running 0 3m1s
2.4 创建签发机构
cat <<EOF> production-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
EOF
kubectl apply -f production-issuer.yaml
查看
[root@master cert-manager]# kubectl get clusterissuer.cert-manager.io
NAME READY AGE
letsencrypt-prod True 18s
2.5 部署一个ingress示例
安装ingress-nginx,参考 https://blog.csdn.net/qq_38983728/article/details/123399245
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80
参考
- https://cert-manager.io/docs/usage/ingress/#optional-configuration
- https://cert-manager.io/docs/tutorials/acme/nginx-ingress/#step-7—deploy-a-tls-ingress-resource
2.6 卸载
# 查询资源删除
kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces
helm --namespace cert-manager delete cert-manager
kubectl delete namespace cert-manager
命名空间陷入终止状态
kubectl delete apiservice v1beta1.webhook.cert-manager.io