背景介紹
cert-manager是Kubernetes上一個管理SSL證書的插件,配合nginx-ingress可以對網站配置https訪問,在加上letsencrypt提供免費的SSL證書,所有就產生了cert-manager+nginx-ingress+letsencrypt的免費套餐。 但是cert-manager默認是不支持阿里雲的DNS的,需要自己編寫webhook,藉助網上大神編寫的webhook,自己修改後用於本篇文章使用
環境準備
Kubernetes 1.12.1+
nginx-ingress(必須能夠有公網IP,不然DNS認證過不了),阿里雲的Kubernetes集羣已經提供這個功能
cert-manager
阿里雲DNS(已經備案,如果沒有備案www是打不開的)
部署大致步驟
一. 在Kubernetes上安裝cert-manager
二. 安裝alidns的webhook
三. 配置Issuer
四. 配置Ingress
一 K8S上安裝cert-manager
$ kubectl create namespace cert-manager
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
如果是1.12或者以下的k8s集羣,需要添加--validate=false,我的集羣就需要添加
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml --validate=false
$ kubectl get po -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-78d674b8b5-wfqh4 1/1 Running 0 3h39m
cert-manager-cainjector-664bb64c66-9h9sc 1/1 Running 0 3h39m
cert-manager-webhook-9c6fd5f7f-tz2gj 1/1 Running 0 3h39m
#驗證cert-manager
$ cat <<EOF > test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
commonName: example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
EOF
$ kubectl apply -f test-resources.yaml
$ kubectl describe certificate -n cert-manager-test , 最後一行看到Certificate issued successfully,就代表安裝成功
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CertIssued 4s cert-manager Certificate issued successfully
$ kubectl delete -f test-resources.yaml
二 安裝alidns的webhook
$ git clone https://github.com/kevinniu666/cert-manager-webhook-alidns.git
$ cd cert-manager-webhook-alidns
$ helm install --name cert-manager-webhook-alidns --namespace=cert-manager ./deploy/webhook-alidns
#查看webhook
$ kubectl get po -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-78d674b8b5-wfqh4 1/1 Running 0 3h50m
cert-manager-cainjector-664bb64c66-9h9sc 1/1 Running 0 3h50m
cert-manager-webhook-9c6fd5f7f-tz2gj 1/1 Running 0 3h50m
cert-manager-webhook-alidns-6f9695b7c4-cmdwz 1/1 Running 0 65m
三 配置Issuer
#cert-manager有兩種issuer,Issuer和ClusterIssuer,區別就是Role和ClusterRole的區別吧(自己理解的)
#通過阿里雲RAM創建一個賬號,並授權DNSFullAccess權限,將賬號的AK記下來,並通過下面的命令創建secret,這個secret用於webhook在DNS認證的時候,會向DNS解析裏面寫入一條txt類型的記錄,認證完成後刪除.如果要在一個cert-manager配置多個在不同阿里雲賬號下的DNS,後面有說明,主要是ClusterRole要改一下。
$ kubectl -n cert-manager create secret generic alidns-credentials --from-literal=accessKeySecret='evNH0A***fONnnTy2r'
$ kubectl apply -f letsencrypt-clusterissuer.yaml #這個文件裏面就引用了剛剛創建的secret,AK的ID是直接輸入的,也可以把ID放在secret裏面,然後應用。
$ kubectl get clusterissuer
NAME AGE
letsencrypt-prod 1h
四 配置ingress
$ kubectl apply -f ingress.yaml , 這裏面加入了cluster-issuer的註解,cert-manager會自動根據域名去創建certificate,order,challenge等
$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
demo-ingress cert.****.com 1**.2*.164.22* 80, 443 70m
$ kubectl get certificate, REDAY是True就代表證書從letsencrypt下發成功了。
NAME READY SECRET AGE
da***-com-tls True da**-com-tls 1h
#如果是false,看看challenge狀態,dns的驗證需要等一會,爲了讓txt記錄生效
$ kubectl get challenge
NAME STATE DOMAIN AGE
**-tls-2231756264-0 pending ***.com 5m
$ kubectl describe challenge ***-tls-2231756264-0 ,成功後會有如下的提示,challenge在成功驗證後會被自動刪除
....
Normal Presented 28s cert-manager Presented challenge using dns-01 challenge mechani
五 打開瀏覽器,訪問ingress裏面的地址
PS:對於不同阿里雲賬號下的域名,需要創建不同的ClusterIssuer然後分別應用不同的secret,在ingress創建的時候,註解也需要引用響應的issuer.
$ kubectl -n cert-manager create secret generic alidns-credentials-2 --from-literal=accessKeySecret='evNH*****fONnnTy2r'
$ kubectl apply -f letsencrypt-clusterissuer-2.yaml
$ kubectl apply -f ingress-2.yaml
$ kubectl edit clusterrole cert-manager-webhook-alidns:secret-reader #將剛剛創建的secret加入到resourceNames裏面
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: 2019-09-18T07:31:41Z
name: cert-manager-webhook-alidns:secret-reader
resourceVersion: "100733766"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cert-manager-webhook-alidns%3Asecret-reader
uid: 5bcdb127-d9e6-11e9-bd87-00163e08a2e5
rules:
- apiGroups:
- ""
resourceNames:
- alidns-credentials-2
- alidns-credentials
resources:
- secrets
verbs:
- get
- watch
訪問ingress-2中的域名驗證