使用cert-manager和hashicorp vault 来管理集群的内部自签名SSL
前半部分会介绍一些原理性的内容,后半部分是环境中的实际应用。
正常的自签名证书流程如下:
使用cert-manager签名的证书流程
cert-manager 资源类型:
ClusterIssuer: defined CAs that are able to signed certificate , that is ready condition for cert-manager
cert-manager controller: handle certificate request and generate the secret corresponding to the certificate
certificate: define a desired X.509 certificate(tls.crt and tls.key) which will be renewed and kept up to date that is issued by cluster issuer.
ca-injector: are used to configure how the Kubernetes API server connects to webhooks
webhook: cert-manager makes use of extending the Kubernetes API server using a Webhook server to provide dynamic admission control over cert-manager resources
根据官方文档解释: https://cert-manager.io/docs/concepts/certificate/#certificate-lifecycle
lifecycle解释了K8S内部证书到期是怎么进行renew的,下面的是我从官网粘贴出来的
以上为一些原理性知识,下面是环境中实际使用的cert-manager和vault结合的案例
职责分配:
1. 使用hashicorp vault 作为签证书的issuer
2. 使用cer-manager部署在K8S集群中来定期监控证书有效期,状态,以及去vault进行签名
定义cluster issuer:
vmadmin@jumpbox:~$ kubectl get clusterissuer -n cert-manager NAME AGE vault-issuer 512d
vmadmin@jumpbox:~$ kubectl get clusterissuer vault-issuer -n cert-manager -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"vault-issuer"},"spec":{"vault":{"auth":{"appRole":{"path":"approle","roleId":"64c3666d-7c2c-a689-753a-33891b3dfbd5","secretRef":{"key":"secretId","name":"cert-manager-vault-secret"}},"tokenSecretRef":{"name":""}},"caBundle":"LS0tLSo=","path":"pki_int/sign/12331","server":"https://vault.com.cn:8206"}}}
creationTimestamp: "2020-08-25T07:39:20Z" #server是vault的地址,在部署cert-manager之前,你需要现有一个vault server ,vault会提供一个pki系统来签证书
generation: 3
name: vault-issuer
resourceVersion: "19875"
selfLink: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/vault-issuer
uid: 90f5e84a-e337-4fcd-9deb-f8811131fb0f
spec:
vault:
auth:
appRole:
path: approle
roleId: 64c3666d-7c2c-a689-753a-33891b3dfbd5
secretRef:
key: secretId
name: cert-manager-vault-secret
tokenSecretRef:
name: ""
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR
path: pki_int/sign/12331
server: https://vault.com.cn:8206
status:
conditions:
- lastTransitionTime: "2020-08-25T08:14:25Z"
message: Vault verified
reason: VaultVerified
status: "True"
type: Ready
#certificate 定义了哪些secret需要被更新,其中包含一些配置下面的注释中会介绍
vmadmin@umpbox:~$ kubectl get certificate
NAME READY SECRET AGE
abba True abba 39d
abba True abba 39d
vmadmin@umpbox:~$ kubectl get certificate tprt -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
creationTimestamp: "2021-04-27T02:50:22Z"
generation: 8
name: tprt #定义这个cert的名字
namespace: default
resourceVersion: "206213505"
selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tprt-87701-portal-val-tprt-service.nazgul.app
uid: 01b7a632-79cc-4c07-b5b8-1211fe7c512d
spec:
dnsNames:
- tprt.com.cn #定义你想要生成出来的CN是什么 比如baidu.com也可以
issuerRef:
kind: ClusterIssuer #类型为cluster issuer ,这样可以不用区分namespace
name: vault-issuer #这个是cluster issuer的名字
keySize: 4096
secretName: tprt-secret #生成出来的secret叫什么
status:
conditions:
- lastTransitionTime: "2021-06-23T03:23:56Z"
message: Certificate is up to date and has not expired
reason: Ready
status: "True"
type: Ready
notAfter: "2022-03-20T03:24:02Z"
vmadmin@app-corebe-jumpbox:~$ kubectl get secret tprt-secret
NAME TYPE DATA AGE
tprt-secret kubernetes.io/tls 3 211d
至此,哪个pod需要绑定这个secret,就可以在deployment中进行配置。
标签:manger,certificate,secret,manager,cert,vault,issuer From: https://www.cnblogs.com/howtobuildjenkins/p/18493329