侧边栏壁纸
博主头像
运维日记-记录IT运维经验博主等级

行动起来,活在当下

  • 累计撰写 66 篇文章
  • 累计创建 7 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录

cert-manager部署签发证书

xlong
2024-03-29 / 0 评论 / 0 点赞 / 3 阅读 / 9021 字 / 正在检测是否收录...

cert-manager安装

helm repo add jetstack https://charts.jetstack.io
helm repo update
wget https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml
kubectl apply -f cert-manager.crds.yaml 
​
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.12.9 \
  --set installCRDs=false \
  --set prometheus.enabled=false 
​

签发单域名证书

安装ClusterIssuer

# cat letsencrypt-prod-istio-ClusterIssuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-istio
spec:
  acme:
    email: ccreate-tech@outlook.com
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-prod-istio-issuer-account-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: istio  #配置外部网关为istio
          #          ingressTemplate:
          #            metadata:
          #                kubernetes.io/ingress.class: istio
          #          podTemplate:
          #            metadata:
          #                sidecar.istio.io/inject: "true"

创建 ClusterIssuer

# cat acme-all-abc-com-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: acme-all-yunchuangbangong-com
  namespace: istio-system
spec:
  dnsNames:
  - api.abc.com
  - app.abc.com
  - adm.abc.com
  - h5.abc.com
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt-prod-istio
  secretName: acme-all-abc-com

签发阿里云泛域名证书

安装alidns-webhook

alidns webhook github地址: https://github.com/pragkent/alidns-webhook

mkdir alidns-webhook && cd alidns-webhook
wget https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml
​
#建议修改文件中的acme.yourcompany.com
sed -i s/'acme.yourcompany.com'/'acme.kaixinok.com'/g bundle.yaml
​
# 启动alidns-webhook
kubectl apply -f bundle.yaml
​
# 创建一个包含阿里dns凭据的secert
kubectl -n cert-manager create secret generic alidns-secret --from-literal=access-key='YOUR_ACCESS_KEY' --from-literal=secret-key='YOUR_SECRET_KEY'

创建 ClusterIssuer

# cat letsencrypt-clusterissuer.yaml 
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-clusterissuer
spec:
  acme:
    # Change to your letsencrypt email
    email: cc98760@qq.com
    server: https://acme-v02.api.letsencrypt.org/directory
    #server: https://acme-staging-v02.api.letsencrypt.org/directory  # test api
​
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
    - dns01:
        webhook:
          groupName: acme.yibudw.com  #必需和bundle.yaml文件中定义的groupname 一致
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

创建证书

# cat yibudw.com-certificate.yaml 
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tls-yibudw.com
  namespace: istio-system
spec:
  secretName: tls-yibudw.com
  dnsNames:
  - kaixinok.com
  - "*.kaixinok.com"
  issuerRef:
    name: letsencrypt-clusterissuer
    kind: ClusterIssuer

查看创建结果

# kubectl get Issuer,ClusterIssuer,certificate,CertificateRequest,orders,challenges -A

创建自签证书

创建自签名issuer

cat <<EOF>> selfSigned-issuer.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: sandbox
spec:
  selfSigned: {}  # 指定这是自签名
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
spec:
  selfSigned: {} #指定这是自签名
EOF

创建自签名ca证书

selfsigned-issuer 自签:

cat <<EOF>> selfSigned-ca.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: self-signed-ca
  namespace: sandbox
  labels:
    app: self-signed-ca
spec:
  secretName: self-signed-ca
  duration: 43800h # 5y
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
  commonName: "ca.example.com"
  isCA: true
EOF

selfsigned-cluster-issuer 自签:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: self-signed-cluster-ca
  namespace: cert-manager
  labels:
    app: self-signed-ca
spec:
  secretName: self-signed-cluster-ca
  duration: 43800h # 5y
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-cluster-issuer
  commonName: "ca.video.com"
  isCA: true

创建证书issuer

cat <<EOF> issuer.yaml 
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: example-com-ca
  namespace: sandbox
  labels:
    app: example-com-ca
spec:
  ca:
    secretName: self-signed-ca
EOF

获取证书和key

kubectl -n sandbox get secrets www-example-com-tls -ojsonpath='{.data.tls\.key}'  | base64 -d > tls.key
kubectl -n sandbox get secrets www-example-com-tls -ojsonpath='{.data.tls\.crt}'  | base64 -d > tls.crt

签发证书

cat <<EOF> www_example_com.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www-example-com-tls
  namespace: sandbox
  labels:
    app: www-example-com
spec:
  secretName: www-example-com-tls
  duration: 8760h # 1y
  issuerRef:
    name: example-com-ca
  commonName: "www.example.com"
  dnsNames:
  - www
  - www.example.com
  - www1.example.com
  - www2.example.com
  - www.internal.example.com
EOF

cat <<EOF > video.api.com.yaml 
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: video-api-com-tls
  namespace: default 
  labels:
    app: video-api-com
spec:
  secretName: video-api-com-tls
  duration: 8760h # 1y
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-cluster-issuer
  commonName: "ca.video.com"
  dnsNames:
  - video.api.com
  - www.api.com
  - test.api.com
  - ops.api.com
EOF

0

评论区