k8s cert manager

linuxk8s

cert-manager

它支持从Let’s Encrypt,HashiCorp Vault,Venafi等颁发证书

Issuer/ClusterIssuer

Certificate

ACME Orders and Challenges

Webhook

CA Injector

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

+-------------+
|   Ingress/  |
| annotations |
+------+------+
       |
       | watch ingress change
       |
       v
+-------------+
|   Issuer/   |
| ClusterIssuer |
+------+------+
       |
       | Create CertificateRequest
       |
       v
+------+------+
|CertificateRequest|
+------+------+
       |
       | Create Order
       |
       v
+------+------+
|      Order  |
+------+------+
       |
       | Create Challenges
       |
       v
+------+------+
|  Challenge  |
+------+------+
       |
       | Respond to Challenge
       |
       v
+------+------+
|ChallengeResponse|
+------+------+
       |
       | Issue Certificate
       |
       v
+------+------+
|     Secret  |
+------+------+

doc cert-manager

https://cert-manager.io/docs/installation/helm/

1
2
3
4
5
6
7
8
9
10
❯ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
❯ helm pull jetstack/cert-manager --untar
❯ kubectl apply -f ./cert-manager.crds.yaml   #--set installCRDs=true
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
1
2
3
4
5
6
7
8
9
helm install -f ./cert-manager/values.yaml \
  -name cert-manager \
  --namespace cert-manager  \
  ./cert-manager  \
  --create-namespace  \
   --version v1.12.4 \
  # --set installCRDs=true
  --set prometheus.enabled=false \  # Example: disabling prometheus using a Helm parameter
  --set webhook.timeoutSeconds=4   # Example: changing the webhook timeout using a Helm parameter
1
2
3
4
5
helm install -f ./cert-manager/values.yaml -name cert-manager --namespace cert-manager  ./cert-manager  --create-namespace --set webhook.timeoutSeconds=4 --set installCRDs=true

❯ helm uninstall  -name cert-manager --namespace cert-manager
release "cert-manager" uninstalled

issuers

selfSigned

selfSigned 
selfSigned
# issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: issuer
  namespace: config
spec:
  selfSigned: {}
---
# httpbin-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: local
  namespace: config
spec:
  secretName: local.org-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - cs
  commonName: local.org
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
  dnsNames:
    - "local.org"
    - "*.local.org"
  issuerRef:
    name: issuer
    kind: Issuer
    group: cert-manager.io
  
1
2
3
❯ kubectl get Certificate  -n config -o wide
NAME    READY   SECRET          ISSUER   STATUS                                          AGE
local   True    local.org-tls   issuer   Certificate is up to date and has not expired   11m

kpi

Vault Binary download for Linux

1
2
3
4
5
6
7
❯  helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
❯ helm pull hashicorp/vault --untar

 helm install  -f ./vault/values.yaml  vault --namespace vault  ./vault  --create-namespace
 
 helm uninstall   vault --namespace vault

  • failed to initialize barrier: failed to persist keyring: mkdir /vault/data/core: permission denied

    检查nfs配置权限 /etc/exports rw

    no_root_squash 选项会确保在 NFS 客户端上使用根用户(UID 为 0)

    容器中vault用户(属于other的权限),nfs宿主机目录权限设置 chmod go+rw -R ./vault/*

1
2
3
4
5
6
7
❯ kubectl exec vault-0 -n vault -- vault operator init \
    -key-shares=1 \
    -key-threshold=1 \
    -format=json >> ./vault/cluster-keys.json
❯ jq -r ".unseal_keys_b64[]" ./vault/cluster-keys.json
0pnsR3Z5j+lDXes6y6LaS0wh0IwuNn9FI/AMjsrR6w8=
❯ kubectl exec vault-0 -n vault -- vault operator unseal 0pnsR3Z5j+lDXes6y6LaS0wh0IwuNn9FI/AMjsrR6w8=

Key Value
-– -—-
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.14.0
Build Date 2023-06-19T11:40:23Z
Storage Type raft
Cluster Name vault-cluster-e7311051
Cluster ID b481f479-636b-44de-0133-0358e278547d
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address
Raft Committed Index 31
Raft Applied Index 31

1
2
3
4
vault operator init -key-shares=5 -key-threshold=3 
# -key-shares:指定密钥的总股数, 
# -key-threshold:指定需要几股可解锁 
# 以上参数为默认,可不设置
1
kubectl exec vault-0 -n vault -- vault status

https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-minikube-tls

1
2
3
kubectl exec -ti vault-1 -n vault -- vault operator raft join -address=http://vault-1.vault-internal:8200


https://help.aliyun.com/zh/ack/ack-managed-and-ack-dedicated/security-and-compliance/use-vault-as-a-key-management-service#3a460810ef6sd

vault全部都需要解封

1
2
3
4
5
6
7
8
9
10
❯ kubectl debug -it vault-2  -n vault  --image=k8s.org/cs/netshoot   -- sh
Defaulting debug container name to debugger-p6d5h.
If you don't see a command prompt, try pressing enter.
/root $ telnet vault-0.vault-internal:8201
telnet: can't connect to remote host (121.21.80.178): Connection refused
/root $ telnet vault-1.vault-internal:8201
Connected to vault-1.vault-internal:8201
/root $ telnet vault-2.vault-internal:8201
Connected to vault-2.vault-internal:8201

[ERROR] storage.raft: failed to heartbeat to: peer=vault-0.vault-internal:8201 backoff time=2.5s error=”dial tcp 121.21.80.178:8201: connect: connection refused”

2023-09-20T06:41:19.836Z [INFO] storage.raft: pipelining replication: peer=”{Voter vault-0 vault-0.vault-internal:8201}”

每次重启都要手动解封所有 vault 实例,自动解封autounseal-transit

实现 vault 配置的自动化管理

https://github.com/pulumi/pulumi-vault

1
2
3
4
5
6
7
8
path "local/*" {
  capabilities = ["read", "list"]
}

// 允许创建 child token
path "auth/token/create" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

traefik

https://www.boysec.cn/boy/393ed77e.html#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%88%E6%8E%A8%E8%8D%90%EF%BC%89

ingress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL   pro https://acme-v02.api.letsencrypt.org/directory
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration 
    email: xxx@xx.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            class:  nginx

本文标题:k8s cert manager

文章作者: 阿帅

发布时间:2023年09月09日 - 13时36分

最后更新:2024年08月10日 - 17时29分

原始链接:https://chengshea.github.io/linux/k8s/cert-manager/

许可协议: "署名-非商用-相同方式共享 3.0" 转载请保留原文链接及作者。

点击打赏
文章目录
  1. 1. cert-manager
    1. 1.1. doc cert-manager
    2. 1.2. issuers
      1. 1.2.1. selfSigned
    3. 1.3. kpi
    4. 1.4. traefik
    5. 1.5. ingress
载入天数...载入时分秒... ,