洛阳网最新消息,广州网络营销十年乐云seo,云南百度智能建站,加工平台用什么材料cert-manager 安装部署
一、官网安装文档
https://cert-manager.io/docs/installation/
1.1、简介
cert-manager 在 Kubernetes 集群中增加了证书 (certificates) 和证书颁发者 (certificate issuers) 作为资源类型#xff0c;并简化了获取、更新和应用这些证书的过程。
…cert-manager 安装部署
一、官网安装文档
https://cert-manager.io/docs/installation/
1.1、简介
cert-manager 在 Kubernetes 集群中增加了证书 (certificates) 和证书颁发者 (certificate issuers) 作为资源类型并简化了获取、更新和应用这些证书的过程。
它能够从各种反对的起源签发证书包含 Let’s Encrypt、HashiCorp Vault 和 Venafi 以及私人 PKI。
1.2、Issuer证书颁发者
在装置了 cert-manager 之后须要配置的第一件事是一个证书颁发者而后你能够用它来签发证书。
cert-manager 带有一些内置的证书颁发者它们被示意为在cert-manager.io组中。除了内置类型外你还能够装置内部证书颁发者。内置和内部证书颁发者的待遇是一样的配置也相似。
有以下几种证书颁发者类型
自签名 (SelfSigned)
CA证书颁发机构
Hashicorp Vault金库
Venafi (SaaS 服务
External内部
ACME主动证书治理环境
HTTP01
DNS011.3、SelfSigned
如下
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:annotations:meta.helm.sh/release-name: cert-manager-webhook-dnspodmeta.helm.sh/release-namespace: cert-managerlabels:app: cert-manager-webhook-dnspodapp.kubernetes.io/managed-by: Helmchart: cert-manager-webhook-dnspod-1.2.0heritage: Helmrelease: cert-manager-webhook-dnspodname: cert-manager-webhook-dnspod-selfsignnamespace: cert-manager
status:conditions:- lastTransitionTime: 2022-03-01T13:38:53ZobservedGeneration: 1reason: IsReadystatus: Truetype: Ready
spec:selfSigned: {}1.4、ACME – HTTP01
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:annotations:meta.helm.sh/release-name: ranchermeta.helm.sh/release-namespace: cattle-systemgeneration: 2labels:app: rancherapp.kubernetes.io/managed-by: Helmchart: rancher-2.6.4heritage: Helmrelease: ranchername: ranchernamespace: cattle-system
status:acme: {}conditions:- lastTransitionTime: 2022-03-08T14:34:08Zmessage: The ACME account was registered with the ACME serverobservedGeneration: 2reason: ACMEAccountRegisteredstatus: Truetype: Ready
spec:acme:preferredChain: privateKeySecretRef:name: letsencrypt-productionserver: https://acme-v02.api.letsencrypt.org/directorysolvers:- http01:ingress: {}1.5、ACME – DNS01
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:annotations:meta.helm.sh/release-name: cert-manager-webhook-dnspodmeta.helm.sh/release-namespace: cert-managerlabels:app: cert-manager-webhook-dnspodapp.kubernetes.io/managed-by: Helmchart: cert-manager-webhook-dnspod-1.2.0heritage: Helmrelease: cert-manager-webhook-dnspod
status:acme:lastRegisteredEmail: cuikaidongfoxmail.comuri: https://acme-v02.api.letsencrypt.org/acme/acct/431637010conditions:- lastTransitionTime: 2022-03-01T13:38:55Zmessage: The ACME account was registered with the ACME serverobservedGeneration: 1reason: ACMEAccountRegisteredstatus: Truetype: Ready
spec:acme:email: cuikaidongfoxmail.compreferredChain: privateKeySecretRef:name: cert-manager-webhook-dnspod-letsencryptserver: https://acme-v02.api.letsencrypt.org/directorysolvers:- dns01:webhook:config:secretId: my-secret-idsecretKeyRef:key: secret-keyname: cert-manager-webhook-dnspod-secretttl: 600groupName: acme.imroc.ccsolverName: dnspod二、cert-manager版本与K8S版本支持关系
官网文档https://cert-manager.io/docs/installation/supported-releases/
三、yaml方式部署
k8s版本1.18.20 cert-manager:1.8
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml验证容器部署
[rootk8s-node rancher]# kubectl get pod -o wide -n cert-manager
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cert-manager-744c65bc9b-2vgl5 1/1 Running 0 6h2m 10.42.113.139 k8s-node none none
cert-manager-cainjector-85dd4cc89f-grs6s 1/1 Running 0 6h2m 10.42.113.138 k8s-node none none
cert-manager-webhook-5cf5c59b-vsg55 1/1 Running 0 6h2m 10.42.113.140 k8s-node none none
四、helm方式部署
4.1、添加helm源
helm repo add jetstack https://charts.jetstack.io4.2、更新helm源
helm repo update4.3、安装cert-manager
helm install \cert-manager jetstack/cert-manager \--namespace cert-manager \--create-namespace \--version v1.8.0 \# --set installCRDstrue五、使用cert-manager申请三个月免费证书
5.1、创建HTTP-01方式issuer
[rootk8s-node ~]# cat clusterissuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:name: letsencrypt-prod
spec:acme:#server: https://acme-staging-v02.api.letsencrypt.org/directoryserver: https://acme-v02.api.letsencrypt.org/directoryprivateKeySecretRef:name: letsencrypt-prodsolvers:- http01:ingress:class: nginx
5.2、以HTTP-01方式申请域名证书
[rootk8s-node ~]# cat ssl.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:name: ssl #证书名称namespace: cert-manager #名称空间
spec:secretName: ssl #证书名称issuerRef:name: letsencrypt-prod #指定ISSUERkind: ClusterIssuerduration: 2160hrenewBefore: 360hdnsNames:- www.demo.cn- app.demo.cn
Issuer/ClusterIssuer: 用于指示 cert-manager 用什么方式签发证书本文主要讲解签发免费证书的 ACME 方式。ClusterIssuer 与 Issuer 的唯一区别就是 Issuer 只能用来签发自己所在 namespace 下的证书ClusterIssuer 可以签发任意 namespace 下的证书。 Certificate: 用于告诉 cert-manager 我们想要什么域名的证书以及签发证书所需要的一些配置包括对 Issuer/ClusterIssuer 的引用。
参考https://blog.csdn.net/weixin_44692256/article/details/108274385
