Posted Updated 2 minutes read (About 291 words)

Cert Manager 使用随记

在 Kubernetes 中常用 Cert Manager 生成并管理自签名证书,常见的 CR 有👇

  1. Issuer: 用于定义如何生成证书
  2. ClusterIssuer: 用于定义如何生成集群级别的证书
  3. Certificate: 用来请求和管理证书的主要资源
  4. CertificateRequest: 是用于手动请求证书的资源
  5. Order: 当使用 ACME 协议时会生成,
  6. Challenge: 是 ACME 协议中的一部分,用于表示 ACME 服务对域名所有权的验证

一个自签的简单实用例子

自签名生成 CA 证书和私钥

1
2
3
4
5
6
7
8
9
# 生成 CA 的私钥
openssl genrsa -out ca.key 2048

# 生成自签名的 CA 证书
openssl req -x509 -new -nodes -key ca.key -subj "/CN=nginx-ca" -days 365 -out ca.crt

kubectl create secret tls tls-nginx \
  --cert=ca.crt \
  --key=ca.key

通过 Issue 创建自签名

1
2
3
4
5
6
7
8
9
10
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: nginx-issuer
  namespace: default
spec:
  ca:
    secretName: tls-nginx
EOF

通过 Certificate 创建证书请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nginx-certificate
  namespace: default
spec:
  secretName: tls-nginx
  duration: 24h
  renewBefore: 12h
  commonName: nginx.warnerchen.io
  dnsNames:
    - nginx.warnerchen.io
  issuerRef:
    name: nginx-issuer
    kind: Issuer
EOF

给 Ingress 挂载后,尝试请求

请求Ingress

Cert Manager 使用随记

https://warnerchen.github.io/2024/09/07/Cert-Manager-使用随记/

Author

Warner Chen

Posted on

2024-09-07

Updated on

2024-09-07

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ansible1
calico1
cisco1
container2
containerd1
docker1
elk1
etcd3
istio2
jenkins1
k8s10
kafka1
linux3
mysql1
nexus1
prometheus1
redis1
suse10
web1
zookeeper1
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×