k8s1.18.20通过cert-manager、kubed实现三个月免费证书自动续签
一、cert-manager部署
参考:k8s1.18.20:cert-manager 1.8 安装部署
二、申请免费证书-letsencrypt
2.1、创建ClusterIssuer
向letsencrypt申请三个月免费证书
[root@k8s-node ~]# cat clusterissuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:name: letsencrypt-prod
spec:acme:#server: https://acme-staging-v02.api.letsencrypt.org/directoryserver: https://acme-v02.api.letsencrypt.org/directoryprivateKeySecretRef:name: letsencrypt-prodsolvers:- http01:ingress:class: nginx
2.2、以HTTP-01方式申请域名证书
[root@k8s-node ~]# cat ssl.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:name: ssl #证书名称namespace: cert-manager #名称空间
spec:secretName: ssl #证书名称issuerRef:name: letsencrypt-prod #指定ISSUERkind: ClusterIssuerduration: 2160hrenewBefore: 360hdnsNames:- www.demo.cn- app.demo.cn
检查,证书是否申请成功
[root@ops-k8s-master01 ssl]# kubectl get secret -n cert-manager
NAME TYPE DATA AGE
cert-manager-cainjector-token-kdwd6 kubernetes.io/service-account-token 3 30d
cert-manager-token-x6tgq kubernetes.io/service-account-token 3 30d
cert-manager-webhook-ca Opaque 3 30d
cert-manager-webhook-token-4bpwg kubernetes.io/service-account-token 3 30d
default-token-p97fb kubernetes.io/service-account-token 3 30d
letsencrypt-prod Opaque 1 30d
sandbox-2qd8j Opaque 1 28d
ssl kubernetes.io/tls 2 28d查看secret信息
[root@ops-k8s-master01 ssl]# kubectl describe secret ssl -n cert-manager
Name: ssl
Namespace: cert-manager
Labels: kubed.appscode.com/origin.cluster=opstestkubed.appscode.com/origin.name=sslkubed.appscode.com/origin.namespace=cmc
Annotations: cert-manager.io/alt-names:api.opstest.chinamcloud.cn,cloud.opstest.chinamcloud.cn,console.opstest.chinamcloud.cn,dashaboard.opstest.chinamcloud.cn,image.opstest.chi...cert-manager.io/certificate-name: sslcert-manager.io/common-name: login.opstest.chinamcloud.cncert-manager.io/ip-sans: cert-manager.io/issuer-group: cert-manager.iocert-manager.io/issuer-kind: ClusterIssuercert-manager.io/issuer-name: letsencrypt-prodcert-manager.io/uri-sans: kubed.appscode.com/origin: {"namespace":"cmc","name":"ssl","uid":"4140a0e6-fd8f-4b17-b72e-9a2983c33b58","resourceVersion":"49211748"}Type: kubernetes.io/tlsData
====
tls.crt: 5932 bytes
tls.key: 1679 bytes目前证书只能在cert-manager名称空间下使用,我们需要再部署一个kubed/config-syncer同步服务,将cert-manager名称空间下的ssl证书同步到其他名称空间。
三、部署kubed服务
参考:Syncing Secrets Across Namespaces
gitlab地址:https://github.com/kubeops/config-syncer
官网部署文档:appscode
3.1、部署kubed服务
$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update
$ helm search repo appscode/kubed --version v0.12.0
NAME CHART VERSION APP VERSION DESCRIPTION
appscode/kubed v0.12.0 v0.12.0 Kubed by AppsCode - Kubernetes daemon$ helm install kubed appscode/kubed \--version v0.12.0 \--namespace kube-system
检查容器是否正常部署
[root@ops-k8s-master01 ssl]# kubectl get pod -o wide -A |grep kubed
kubed config-sync-kubed-57d7b5548b-l6klq 1/1 Running 0 28d 10.42.2.80 ops-k8s-node02 <none> <none>3.2、创建同步证书服务
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:name: sslnamespace: cert-manager
spec:secretName: sslcommonName: sslissuerRef:name: letsencrypt-prodkind: ClusterIssuergroup: cert-manager.iosecretTemplate:annotations:#kubed.appscode.com/sync: "cert-manager-tls=appfactory,crms"kubed.appscode.com/sync: "" #同步到所有名称空间检查证书是否同步到所有名称空间
[root@ops-k8s-master01 ssl]# kubectl get secret -A |grep ssl
aims ssl kubernetes.io/tls 2 28d
appfactory ssl kubernetes.io/tls 2 28d
base ssl kubernetes.io/tls 2 28d
bigdata ssl kubernetes.io/tls 2 28d
cattle-fleet-system ssl kubernetes.io/tls 2 28d
cattle-impersonation-system ssl kubernetes.io/tls 2 28d
cattle-system ssl kubernetes.io/tls 2 28d
cert-manager ssl kubernetes.io/tls 2 28d
cim ssl kubernetes.io/tls 2 28d
cmc ssl kubernetes.io/tls 2 28d
cmini ssl kubernetes.io/tls 2 28d
cms ssl kubernetes.io/tls 2 28d
content ssl kubernetes.io/tls 2 28d后续可以通过浏览器验证,访问域名看证书是否正常。
长连接与连接处理)
