時(shí)間:2023-02-19 22:24:01 | 來源:建站知識(shí)
時(shí)間:2023-02-19 22:24:01 來源:建站知識(shí)
為 KubeSphere 集群?jiǎn)⒂妹赓M(fèi)的泛域名 SSL 證書并實(shí)現(xiàn)證書自動(dòng)更新和分發(fā):作者:scwang18,主要負(fù)責(zé)技術(shù)架構(gòu),在容器云方向頗有研究。
let's encrytp
泛域名證書實(shí)現(xiàn) Kubernetes 集群外部服務(wù)自動(dòng)證書配置和證書到期自動(dòng)更新,支持 HTTPS 訪問。我們還部署了證書自動(dòng)分發(fā)組件,實(shí)現(xiàn)證書文件自動(dòng)分發(fā)到其他 namespace 。Let’s Encrypt
, HashiCorp Vault
這些免費(fèi)證書的簽發(fā)。在 KubeSphere 集群中,我們可以通過 Kubernetes Ingress 和 Let’s Encrypt
實(shí)現(xiàn)外部服務(wù)的自動(dòng)化 HTTPS。$ kubectl create ns cert-manager$ helm uninstall cert-manager -n cert-manager$ helm install cert-manager jetstack/cert-manager / -n cert-manager / --version v1.8.0 / --set installCRDs=true / --set prometheus.enabled=false / --set 'extraArgs={--dns01-recursive-nameservers-only,--dns01-recursive-nameservers=119.29.29.29:53/,8.8.8.8:53}'
# ClusterIssuer.yamlapiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencryptspec: acme: email: scwang18@xxx.xxx server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: issuer-account-key solvers: - http01: ingress: class: nginx
說明:$ kubectl apply -f ClusterIssuer.yaml -n cert-manager
執(zhí)行成功后,會(huì)將申請(qǐng)的證書文件放置在 issuer-account-key 這個(gè) Secret 中。$ kubectl -n infra get certificate
# ingreess-wikijs.yamlapiVersion: networking.k8s.io/v1kind: Ingressmetadata: annotations: cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/proxy-body-size: "0" name: ingress-wikijsspec: ingressClassName: nginx rules: - host: wiki.xxx.xxx http: paths: - backend: service: name: wikijs port: number: 3000 path: / pathType: Prefix tls: - hosts: - wikijs.xxx.xxx secretName: ingress-wikijs-tls
注意:在 annotations 里 設(shè)置使用 yaml 文件創(chuàng)建 ingress 后,就可以使用該 Ingress 對(duì)外提供 HTTPS 服務(wù)了。cert-manager.io/cluster-issuer
為簽名創(chuàng)建的集群證書頒發(fā)者letsencrypt
。
# 執(zhí)行創(chuàng)建 ingresskubectl apply -f ingress-wikijs.yaml -n infra
AKIDVt3z4uVss11xjIdmddgMmHXXssssHp9D2buxrWR8SekbG2gqdflQs5xxxviGagX8TYO
$ helm repo add roc https://charts.imroc.cc$ helm uninstall cert-manager-webhook-dnspod -n cert-manager$ helm install cert-manager-webhook-dnspod roc/cert-manager-webhook-dnspod / -n cert-manager / --set clusterIssuer.secretId=AKIDVt3z4uVss11xjIdmddgMmHXXssssHp9D2buxrWR8 / --set clusterIssuer.secretKey=SekbG2gqdflQs5xxxviGagX8TYO / --set clusterIssuer.email=xxx@xxx.xxx
# ipincloud-crt.yamlapiVersion: cert-manager.io/v1kind: Certificatemetadata: name: ipincloud-crtspec: secretName: ipincloud-crt issuerRef: name: dnspod kind: ClusterIssuer group: cert-manager.io dnsNames: - "*.xxx.xxx"
創(chuàng)建集群證書頒發(fā)者:$ kubectl apply -f ipincloud-crt.yaml -n infra
$ kubectl get Certificate -n cert-managerNAME READY SECRET AGEcert-manager-webhook-dnspod-ca True cert-manager-webhook-dnspod-ca 18mcert-manager-webhook-dnspod-webhook-tls True cert-manager-webhook-dnspod-webhook-tls 18mipincloud-crt True ipincloud-crt 3m12s
以上可以看出 ipincloud-crt 已經(jīng)創(chuàng)建成功, READY 狀態(tài)也是 True。$ kubectl describe Certificate ipincloud-crt -n cert-managerName: ipincloud-crtNamespace: cert-managerLabels: <none>Annotations: <none>API Version: cert-manager.io/v1Kind: CertificateMetadata: Creation Timestamp: 2022-05-07T14:19:07Z ...Spec: Dns Names: *.xxx.xxx Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: dnspod Secret Name: ipincloud-crtStatus: Conditions: Last Transition Time: 2022-05-07T14:19:14Z Message: Certificate is up to date and has not expired Observed Generation: 1 Reason: Ready Status: True Type: Ready Not After: 2022-08-05T13:19:11Z Not Before: 2022-05-07T13:19:12Z Renewal Time: 2022-07-06T13:19:11Z Revision: 1Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing 4m35s cert-manager-certificates-trigger Issuing certificate as Secret does not exist Normal Generated 4m35s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "ipincloud-crt-4ml59" Normal Requested 4m35s cert-manager-certificates-request-manager Created new CertificateRequest resource "ipincloud-crt-r76wp" Normal Issuing 4m28s cert-manager-certificates-issuing The certificate has been successfully issued
從 Certificate 的描述信息可以看到,這個(gè)證書是對(duì)應(yīng)所有 *.xxx.xxx
的泛域名。$ kubectl describe secret ipincloud-crt -n cert-managerName: ipincloud-crtNamespace: cert-managerLabels: <none>Annotations: cert-manager.io/alt-names: *.xxx.xxx cert-manager.io/certificate-name: ipincloud-crt cert-manager.io/common-name: *.xxx.xxx cert-manager.io/ip-sans: cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: ClusterIssuer cert-manager.io/issuer-name: dnspod cert-manager.io/uri-sans: Type: kubernetes.io/tlsData====tls.crt: 5587 bytestls.key: 1675 bytes
TLS 證書保存在 cert-manager 命名空間里的 ipincloud-crt secret??梢怨┧?``*.http://xxx.xxx` 的服務(wù)使用。$ kubectl get challenge -ANAMESPACE NAME STATE DOMAIN AGEcert-manager ipincloud-crt-f9kp6-381578565-136350475 pending xxx.xxx 24s
查看原因是:Waiting for DNS-01 challenge propagation: DNS record for "xxx.xxx" not yet
$ kubectl -n cert-manager describe challenge ipincloud-crt-f9kp6-381578565-136350475Name: ipincloud-crt-f9kp6-381578565-136350475Namespace: cert-managerLabels: <none>Annotations: <none>API Version: acme.cert-manager.io/v1Kind: Challenge---中間略---Status: Presented: true Processing: true Reason: Waiting for DNS-01 challenge propagation: DNS record for "xxx.xxx" not yet propagated State: pendingEvents: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Started 41s cert-manager-challenges Challenge scheduled for processing Normal Presented 39s cert-manager-challenges Presented challenge using DNS-01 challenge mechanism
查了很多資料,在官網(wǎng)上找到解決方案。辦法是讓 cert-manager 強(qiáng)制使用指定的 DNS 服務(wù)器進(jìn)行握手驗(yàn)證。--set 'extraArgs={--dns01-recursive-nameservers-only,--dns01-recursive-nameservers=119.29.29.29:53/,8.8.8.8:53}'
參考文檔:https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check$ helm repo add appscode https://charts.appscode.com/stable/$ helm repo update$ helm install kubed appscode/kubed / --version v0.13.2 / --namespace cert-manager
# ipincloud-crt.yamlapiVersion: cert-manager.io/v1kind: Certificatemetadata: name: ipincloud-crtspec: secretName: ipincloud-crt issuerRef: name: dnspod kind: ClusterIssuer group: cert-manager.io dnsNames: - "*.xxx.xxx" secretTemplate: annotations: kubed.appscode.com/sync: "cert-manager-tls=ipincloud-crt"
cert-manager-tls=ipincloud-crt
, 因此,我們需要對(duì)接收同步 secret 的 namespace 打上相應(yīng)的 label。$ kubectl label ns default cert-manager-tls=ipincloud-crt$ kubectl label ns app cert-manager-tls=ipincloud-crt$ kubectl label ns dev-app cert-manager-tls=ipincloud-crt$ kubectl label ns dev-infra cert-manager-tls=ipincloud-crt$ kubectl label ns dev-wly cert-manager-tls=ipincloud-crt$ kubectl label ns infra cert-manager-tls=ipincloud-crt$ kubectl label ns istio-system cert-manager-tls=ipincloud-crt$ kubectl label ns uat-app cert-manager-tls=ipincloud-crt$ kubectl label ns uat-wly cert-manager-tls=ipincloud-crt$ kubectl label ns wly cert-manager-tls=ipincloud-crt$ kubectl label ns kubesphere-controls-system cert-manager-tls=ipincloud-crt
$ kubectl get secret ipincloud-crtNAME TYPE DATA AGEipincloud-crt kubernetes.io/tls 2 18m
查看復(fù)制的 secret ,可以看到 label 信息中記錄了證書來源信息。$ kubectl describe secret ipincloud-crtName: ipincloud-crtNamespace: defaultLabels: kubed.appscode.com/origin.cluster=unicorn kubed.appscode.com/origin.name=ipincloud-crt kubed.appscode.com/origin.namespace=cert-managerAnnotations: cert-manager.io/alt-names: *.xxx.xxx cert-manager.io/certificate-name: ipincloud-crt cert-manager.io/common-name: *.xxx.xxx cert-manager.io/ip-sans: cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: ClusterIssuer cert-manager.io/issuer-name: dnspod cert-manager.io/uri-sans: kubed.appscode.com/origin: {"namespace":"cert-manager","name":"ipincloud-crt","uid":"b4713633-731e-4151-844f-0f6d9cf6352c","resourceVersion":"12531075"}Type: kubernetes.io/tlsData====tls.crt: 5587 bytestls.key: 1675 bytes
kind: IngressapiVersion: networking.k8s.io/v1metadata: name: wikijs namespace: infra annotations: nginx.ingress.kubernetes.io/proxy-body-size: '0'spec: ingressClassName: nginx tls: - hosts: - wiki.xxx.xxx secretName: ipincloud-crt rules: - host: wiki.xxx.xxx http: paths: - path: / pathType: ImplementationSpecific backend: service: name: wikijs port: number: 3000
$ curl -I https://wiki.xxx.xxxHTTP/1.1 302 FoundDate: Sat, 07 May 2022 14:52:39 GMTContent-Type: text/plain; charset=utf-8Content-Length: 28Connection: keep-aliveX-Frame-Options: denyX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-UA-Compatible: IE=edgeReferrer-Policy: same-originContent-Language: zhSet-Cookie: loginRedirect=%2F; Max-Age=900; Path=/; Expires=Sat, 07 May 2022 15:07:39 GMTLocation: /loginVary: Accept, Accept-EncodingStrict-Transport-Security: max-age=15724800; includeSubDomains
如上所示,就是成功啟動(dòng)了 HTTPS 。本文由博客一文多發(fā)平臺(tái) OpenWrite 發(fā)布!
關(guān)鍵詞:證書,實(shí)現(xiàn),分發(fā),更新,啟用,免費(fèi)
客戶&案例
營(yíng)銷資訊
關(guān)于我們
客戶&案例
營(yíng)銷資訊
關(guān)于我們
微信公眾號(hào)
版權(quán)所有? 億企邦 1997-2025 保留一切法律許可權(quán)利。