cert-manager管理內網k8s開發環境證書

目的

內網k8s開發環境配置HTTPS，保持與生產環境的配置的一致性，其必要性有：

• PWA開發，HTTPS是必要條件
• 網頁引入HTTP資源，若是開發環境是HTTP就不會被開發和測試人員發現，形成生產環境故障
• HTTP/2，與HTTP相差太大，必須保持環境一致

cert-manager介紹

cert-manager是Kubernetes的附加組件，用於自動管理和頒發各類發行來源的TLS證書。它將確保證書有效並按期更新，並嘗試在到期前的適當時間更新證書。

方法

開發環境在內網，作不了域名驗證，沒法使用Let's Encrypt頒發和自動更新證書，因此採用自簽名CA證書+由此CA頒發證書的方式。

1. 建立自簽名發行者
2. 生成CA證書
3. 建立CA發行者（ClusterIssuer）
4. 生成網站證書
5. 將網站證書配置到Ingress

實施

前提：

• Kubernetes環境
• 開發機器已配置hosts，域名site.example.com指向Ingress對外ip
• 站點已部署至k8s，Ingress開NodePort端口http30080、https30443，即如今可經過http://site.example.com:30080訪問到nginx站點

一、建立自簽名發行者

# selfsigned-issuer.issuer.yaml
# 參考：https://cert-manager.io/docs/configuration/selfsigned/
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

二、生成CA證書

# ca-example-com.certificate.cert-manager.yaml
# 參考：https://cert-manager.io/docs/usage/certificate/
# api參考：https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1alpha3.Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ca-example-com ###
  namespace: cert-manager ### 修改成cert-manager的namespace，以讓ClusterIssuer的CA Issuer能夠使用此證書
spec:
  # Secret names are always required.
  secretName: ca-example-com-tls ### Secret名字
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
    - Example Inc. ###
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: ca.example.com ###
  isCA: true ### 修改成true，isCA將將此證書標記爲對證書籤名有效。這會將cert sign自動添加到usages列表中。
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  #usages: ### 註釋了usages，使用狀況是證書要求的x509使用狀況的集合。默認爲digital signature，key encipherment若是未指定。
  #  - server auth
  #  - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
  - ca.example.com ###
  #uris: ### 註釋了uris、ipAddresses
  #- spiffe://cluster.local/ns/sandbox/sa/example
  #ipAddresses:
  #- 192.168.0.5
  # Issuer references are always required.
  issuerRef:
    name: selfsigned-issuer ### 指定爲自簽名發行人
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io

• ###爲相對於參考的修改項
• 咱們將要把CA Issuer建立爲ClusterIssuer，因ClusterIssuer只能訪問cert-manager下的Secret，因此這個CA Certificate建立在此名字空間下，其Secret也會被建立在此名字空間下。固然也能夠更改ClusterIssuer默承認訪問的名字空間，參考：https://cert-manager.io/docs/faq/cluster-resource/

三、建立CA發行者（ClusterIssuer）

# ca-issuer.clusterissuer.yaml
# 參考：https://cert-manager.io/docs/configuration/ca/
apiVersion: cert-manager.io/v1
kind: ClusterIssuer ### ClusterIssuer
metadata:
  name: ca-issuer
  namespace: cert-manager ### ClusterIssuer下namespace無效
spec:
  ca:
    secretName: ca-example-com-tls ###

• ###爲相對於參考的修改項
• CA Issuer建立爲ClusterIssuer，可爲其餘名字空間的Certificate發行證書

四、生成網站證書

# site-example-com.certificate.example-com.yaml
# 參考：https://cert-manager.io/docs/usage/certificate/
# api參考：https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1alpha3.Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: site-example-com ###
  namespace: example-com ### 站點所在名字空間
spec:
  # Secret names are always required.
  secretName: site-example-com-tls ### Secret名字
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
    - Example Inc. ###
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: site.example.com ###
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  #usages: ### 註釋了usages，使用狀況是證書要求的x509使用狀況的集合。默認爲digital signature，key encipherment若是未指定。
  #  - server auth
  #  - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
  - site.example.com ###
  #uris: ### 註釋了uris、ipAddresses
  #- spiffe://cluster.local/ns/sandbox/sa/example
  #ipAddresses:
  #- 192.168.0.5
  # Issuer references are always required.
  issuerRef:
    name: ca-issuer ### 使用CA Issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: ClusterIssuer ### CA Issuer是ClusterIssuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io

• ###爲相對於參考的修改項

五、將網站證書配置到Ingress

# site-example-com.ingress.example-com.yaml
# 參考：https://kubernetes.io/zh/docs/concepts/services-networking/ingress/#tls
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: site-example-com
  namespace: example-com
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - site.example.com
      secretName: site-example-com-tls
  rules:
    - host: site.example.com
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              serviceName: nginx
              servicePort: 80

六、將CA證書安裝至本地

獲取CA證書——ca-example-com-tls.secret.cert-manager裏的tls.crt文件，拷貝至開發機器上，windows直接打開安裝證書至受信任的根證書頒發機構

七、效果