[最全]Kubernetes 集群自動(dòng)生成更新HTTPS證書(shū)教程��,含單域名,通配符申請(qǐng)
時(shí)間:2023-02-13 12:57:01 | 來(lái)源:建站知識(shí)
時(shí)間:2023-02-13 12:57:01 來(lái)源:建站知識(shí)
簡(jiǎn)介
這里介紹如何在K8s中通過(guò)cret-manager自動(dòng)創(chuàng)建HTTPS證書(shū),提供兩種方式,一種是單域名證書(shū)�����,一種是通過(guò)阿里云DNS驗(yàn)證實(shí)現(xiàn)通配符域名證書(shū)申請(qǐng)
我們這里通過(guò)Helm安裝cret-manager,請(qǐng)注意查看k8s版本正確安裝對(duì)應(yīng)版本的應(yīng)用
1.安裝Helm 3
官方安裝教程: https://helm.sh/docs/intro/install/
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3$ chmod 700 get_helm.sh$ ./get_helm.sh2.安裝cert-manager
前期準(zhǔn)備
添加命名空間
kubectl create namespace cert-manager
添加cret-manager源
helm repo add jetstack https://charts.jetstack.io
更新源
helm repo update
安裝CRDs
注意安裝對(duì)應(yīng)的版本
# Kubernetes 1.15+$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.crds.yaml# Kubernetes <1.15$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager-legacy.crds.yaml安裝cert-manager
$ helm install / cert-manager jetstack/cert-manager / --namespace cert-manager / --version v0.15.1驗(yàn)證是否安裝成功
以下結(jié)果為成功�����,你也可以看看鏡像日志����,是否正常啟動(dòng)����,是否正常
$ kubectl get pods --namespace cert-managerNAME READY STATUS RESTARTS AGEcert-manager-5c6344597-zw8kh 1/1 Running 0 2mcert-manager-cainjector-348f6d9fd7-tr77l 1/1 Running 0 2mcert-manager-webhook-893u48fcdb-nlzsq 1/1 Running 0 2m3.安裝證書(shū)
官方介紹這中 Issuer 與 ClusterIssuer 的概念:
Issuers, and ClusterIssuers, are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request. Issuer 與 ClusterIssuer 的區(qū)別是 ClusterIssuer 可跨命名空間使用����,而 Issuer 需在每個(gè)命名空間下配置后才可使用�����。這里我們使用 ClusterIssuer�,其類型選擇 Let‘s Encrypt
測(cè)試證書(shū)
# cluster-issuer-letsencrypt-staging.yamlapiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: letsencrypt-stagingspec: acme: # 務(wù)必將此處替換為你自己的郵箱, 否則會(huì)配置失敗�����。當(dāng)證書(shū)快過(guò)期時(shí) Let's Encrypt 會(huì)與你聯(lián)系 email: gavin.tech@qq.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: # 將用來(lái)存儲(chǔ) Private Key 的 Secret 資源 name: letsencrypt-staging # Add a single challenge solver, HTTP01 using nginx solvers: - http01: ingress: class: nginx 正式證書(shū)
# cluster-issuer-letsencrypt-prod.yamlapiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: gavin.tech@qq.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx這里安裝兩個(gè)環(huán)境的證書(shū)的作用
這里分別配置了測(cè)試環(huán)境與生產(chǎn)環(huán)境兩個(gè) ClusterIssuer�����, 原因是 Let’s Encrypt 的生產(chǎn)環(huán)境有著非常嚴(yán)格的接口調(diào)用限制�,最好是在測(cè)試環(huán)境測(cè)試通過(guò)后,再切換為生產(chǎn)環(huán)境����。生產(chǎn)環(huán)境和測(cè)試環(huán)境的區(qū)別:https://letsencrypt.org/zh-cn/docs/staging-environment/
在Ingress中使用證書(shū)
在ingress配置后,會(huì)自動(dòng)生成證書(shū)
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: kuard annotations: # 務(wù)必添加以下兩個(gè)注解, 指定 ingress 類型及使用哪個(gè) cluster-issuer kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer:"letsencrypt-staging" # 這里先用測(cè)試環(huán)境的證書(shū)測(cè)通后��,就可以替換成正式服證書(shū) # 如果你使用 issuer, 使用以下注解 # cert-manager.io/issuer: "letsencrypt-staging"spec: tls: - hosts: - example.example.com # TLS 域名 - 這里僅支持單域名,下面會(huì)講通配符的域名配置 secretName: quickstart-example-tls # 用于存儲(chǔ)證書(shū)的 Secret 對(duì)象名字�����,可以是任意名稱����,cert-manager會(huì)自動(dòng)生成對(duì)應(yīng)名稱的證書(shū)名稱 rules: - host: example.example.com http: paths: - path: / backend: serviceName: kuard servicePort: 804.通過(guò)DNS配置通配符域名域名
這里樣式的是阿里云DNS操作的流程,如果需要其他平臺(tái)的方法���,可以自行開(kāi)發(fā)�����,或者找已開(kāi)源webhook����,這是官方的例子:https://github.com/jetstack/cert-manager-webhook-example
這里用的是這個(gè)包:https://github.com/pragkent/alidns-webhook
安裝WebHook
不同cret-manager的安裝辦法不同
cret-manager 版本大于等于v0.11
安裝
# Install alidns-webhook to cert-manager namespace. kubectl apply -f https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml添加阿里云RAM賬號(hào)
子賬號(hào)需要開(kāi)通HTTPS管理權(quán)限(AliyunDNSFullAccess,管理云解析(DNS)的權(quán)限)
apiVersion: v1kind: Secretmetadata: name: alidns-secret namespace: cert-managerdata: access-key: YOUR_ACCESS_KEY # 需要先base64加密 secret-key: YOUR_SECRET_KEY # 需要先base64加密創(chuàng)建ClusterIssuer
測(cè)試證書(shū)申請(qǐng)
apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: letsencrypt-staging-dnsspec: acme: email: gavin.tech@qq.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-staging-dns solvers: - dns01: webhook: groupName: acme.yourcompany.com # 注意這里要改動(dòng)����,在https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml中也要改動(dòng)對(duì)應(yīng)的groupName solverName: alidns config: region: "" accessKeySecretRef: name: alidns-secret key: access-key secretKeySecretRef: name: alidns-secret key: secret-key 正式證書(shū)申請(qǐng)
apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: letsencrypt-prod-dnsspec: acme: email: gavin.tech@qq.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-prod-dns solvers: - dns01: webhook: groupName: acme.yourcompany.com solverName: alidns config: region: "" # 這里可以不填 或者填對(duì)應(yīng)的區(qū)域:cn-shenzhen accessKeySecretRef: name: alidns-secret key: access-key secretKeySecretRef: name: alidns-secret key: secret-key創(chuàng)建Certificate
測(cè)試證書(shū)
apiVersion: cert-manager.io/v1alpha2kind: Certificatemetadata: name: diti-com-staging-tlsspec: secretName: diti-com-staging-tls commonName: diti.com dnsNames: - diti.com - "*.diti.com" issuerRef: name: letsencrypt-staging-dns kind: ClusterIssuer 正式證書(shū)
apiVersion: cert-manager.io/v1alpha2kind: Certificatemetadata: name: diti-com-prod-tlsspec: secretName: diti-com-prod-tls commonName: diti.com dnsNames: - diti.com - "*.diti.com" issuerRef: name: letsencrypt-prod-dns kind: ClusterIssuer在Ingress中應(yīng)用
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: kuard annotations: # 務(wù)必添加以下兩個(gè)注解, 指定 ingress 類型及使用哪個(gè) cluster-issuer kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer:"letsencrypt-staging-dns" # 這里先用測(cè)試環(huán)境的證書(shū)測(cè)通后,就可以替換成正式服證書(shū)spec: tls: - hosts: - "*.diti.com" # 如果填寫(xiě)單域名就只會(huì)生產(chǎn)單域名的證書(shū)�����,如果是通配符請(qǐng)?zhí)顚?xiě)"*.example.com", 注意:如果填寫(xiě)example.com只會(huì)生成www.example.com一個(gè)域名。 secretName: diti-com-staging-tls # 測(cè)試的證書(shū)����,填寫(xiě)剛剛創(chuàng)建Certificate的名稱,注意更換環(huán)境時(shí)證書(shū)也要一起更換�����,這里并不會(huì)像單域名一樣自動(dòng)生成 rules: - host: example.diti.com http: paths: - path: / backend: serviceName: kuard servicePort: 80cret-manager 版本小于v0.11
安裝
# Install alidns-webhook to cert-manager namespace. kubectl apply -f https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/legacy.yaml添加阿里云RAM賬號(hào)
子賬號(hào)需要開(kāi)通HTTPS管理權(quán)限(AliyunDNSFullAccess,管理云解析(DNS)的權(quán)限)
apiVersion: v1kind: Secretmetadata: name: alidns-secret namespace: cert-managerdata: access-key: YOUR_ACCESS_KEY # 需要先base64加密 secret-key: YOUR_SECRET_KEY # 需要先base64加密創(chuàng)建ClusterIssuer
測(cè)試證書(shū)申請(qǐng)
apiVersion: certmanager.k8s.io/v1alpha1kind: ClusterIssuermetadata: name: letsencrypt-staging-dnsspec: acme: email: gavin.tech@qq.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-staging-dns solvers: - dns01: webhook: groupName: acme.yourcompany.com # 注意這里要改動(dòng)���,在https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml中也要改動(dòng)對(duì)應(yīng)的groupName solverName: alidns config: region: "" accessKeySecretRef: name: alidns-secret key: access-key secretKeySecretRef: name: alidns-secret key: secret-key 正式證書(shū)申請(qǐng)
apiVersion: certmanager.k8s.io/v1alpha1kind: ClusterIssuermetadata: name: letsencrypt-prod-dnsspec: acme: email: gavin.tech@qq.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-prod-dns solvers: - dns01: webhook: groupName: acme.yourcompany.com solverName: alidns config: region: "" # 這里可以不填 或者填對(duì)應(yīng)的區(qū)域:cn-shenzhen accessKeySecretRef: name: alidns-secret key: access-key secretKeySecretRef: name: alidns-secret key: secret-key創(chuàng)建Certificate
測(cè)試證書(shū)
apiVersion: certmanager.k8s.io/v1alpha1kind: Certificatemetadata: name: diti-com-staging-tlsspec: secretName: diti-com-staging-tls commonName: diti.com dnsNames: - diti.com - "*.diti.com" issuerRef: name: letsencrypt-staging-dns kind: ClusterIssuer 正式證書(shū)
apiVersion: certmanager.k8s.io/v1alpha1kind: Certificatemetadata: name: diti-com-prod-tlsspec: secretName: diti-com-prod-tls commonName: diti.com dnsNames: - diti.com - "*.diti.com" issuerRef: name: letsencrypt-prod-dns kind: ClusterIssuer在Ingress中應(yīng)用
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: kuard annotations: # 務(wù)必添加以下兩個(gè)注解, 指定 ingress 類型及使用哪個(gè) cluster-issuer kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer:"letsencrypt-staging-dns" # 這里先用測(cè)試環(huán)境的證書(shū)測(cè)通后,就可以替換成正式服證書(shū)spec: tls: - hosts: - "*.diti.com" # 如果填寫(xiě)單域名就只會(huì)生產(chǎn)單域名的證書(shū)�,如果是通配符請(qǐng)?zhí)顚?xiě)"*.example.com", 注意:如果填寫(xiě)example.com只會(huì)生成www.example.com一個(gè)域名。 secretName: diti-com-staging-tls # 測(cè)試的證書(shū)����,填寫(xiě)剛剛創(chuàng)建Certificate的名稱,注意更換環(huán)境時(shí)證書(shū)也要一起更換��,這里并不會(huì)像單域名一樣自動(dòng)生成 rules: - host: example.diti.com http: paths: - path: / backend: serviceName: kuard servicePort: 80
關(guān)鍵詞:教程,申請(qǐng),證書(shū),更新
在線咨詢
