介绍

cert-manager是一个 Kubernetes 控制器,用于管理集群状态的证书方面。它负责管理特定集群上的证书状态,并在到期前发布新证书或请求更新现有证书。

安装

1、kubectl create namespace cert-manager

  1. kubectl create namespace cert-manager

2、add helm repo

helm repo add jetstack https://charts.jetstack.io
helm repo update

3、installing CRDs with kubectl

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml

4、install CRDs as part of the Helm release

$ helm install cert-manager jetstack/cert-manager --namespace cert-manager  --version v1.4.0 

NAME: cert-manager
LAST DEPLOYED: Tue Jun 29 15:23:34 2021
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

5、Verifying the installation

# Make sure all cert-manager deployed pods are running
kubectl get pod -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5d7f97b46d-g85ds              1/1     Running   0          2m41s
cert-manager-cainjector-69d885bf55-dwj6t   1/1     Running   0          2m41s
cert-manager-webhook-8d7495f4-wgqzv        1/1     Running   0          2m41s

# Make sure custom resources *.cert-manager.io were created successfully 
kubectl get crd | grep cert-manager

# Verify that ClusterIssuer is non-namespaced scoped ('false')
# so it can be used to issue Certificates across all namespaces
kubectl api-resources | grep clusterissuers

卸载

cert-manager从集群中删除

helm uninstall cert-manager --namespace cert-manager

清除命名空间

kubectl delete namespaces cert-manager

创建证书发行人

install ClusterIssuer

ref:https://docs.cert-manager.io/en/release-0.11/reference/clusterissuers.html
#ref:http://blog.zachinachshon.com/cert-manager/
cert-manager issues certificates through an Issuer. The Issuer can issue certificates for the namespace it is created on, but a ClusterIssuer can create certificates for any namespace.

1 、Create Self-Signed Cert Issuer

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: xljc-ca-issuer
spec:
  selfSigned: {}
EOF

2 、check the status of clusterissuers 

$ kubectl get clusterissuers xljc-ca-issuer -o wide
NAME             READY   STATUS   AGExljc-ca-issuer   True             17h

创建新证书

1、creating a new certificate

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: infra.xljc.art-tls
  namespace: ja
spec:
  secretName: infra.xljc.art-tls-secret
  issuerRef: 
    name: xljc-ca-issuer
    kind: ClusterIssuer
    group: cert-manager.io
  commonName: '*.infra.xljc.art'
  dnsNames:
    - infra.xljc.art
    - '*.infra.xljc.art'
EOF

2、Check that secret status

kubectl describe certificate infra.xljc.art-tls -n ja
kubectl get secret --namespace ja

3、(Optional): When in need to delete a certificate

# Delete certificate
kubectl delete certificate MY_DOMAIN-com-cert --namespace MY_NAMESPACE

# Delete the auto generated secret
kubectl delete secret MY_DOMAIN-com-cert-secret --namespace MY_NAMESPACE


在命名空间之间共享秘密

有时我们需要将cert-manager生成的证书机密复制到与创建它的命名空间不同的命名空间时使用;但是secret默认是不垮命名空间的,为了解决这个限制,我们只需简单地将秘密复制到不同的命名空间,如下所示:

kubectl get secret MY_DOMAIN-com-cert-secret -n SOURCE_NAMESPACE -o yaml \
| sed s/"namespace: SOURCE_NAMESPACE"/"namespace: DESTINATION-NAMESPACE"/\
| kubectl apply -n DESTINATION-NAMESPACE -f -

重要提示:
不建议手动复制机密,因为手动复制cert-manager会丢失机密,并且当更新时间到期时,机密将失效。

我们可以借助kubed这个工具来实现不同命名空间secret的同步。