Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to use cert-mananager to apply for TLS certificate in Kubernetes". In daily operation, I believe many people have doubts about how to use cert-mananager to apply for TLS certificate in Kubernetes. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubt of "how to use cert-mananager to apply for TLS certificate in Kubernetes". Next, please follow the editor to study!

Problem description

After the cert-manager is successfully deployed, you can use it to apply for an Let's Encrypt certificate.

Solution precondition

Deployment of cert-manager completed: refer to 2.Installation notes

TL;DR

We use the Let's Encrypt service that provides the ACME implementation to request the certificate and use DNS01 to complete the challenge, so we should create a ClusterIssuer resource file similar to the following:

ApiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: example-issuerspec: acme: email: user@example.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: example-issuer-account-key solvers:-dns01: cloudDNS: project: my-project serviceAccountSecretRef: name: prod-clouddns-svc-acct-secret key: service-account.json

However, we use Ali Cloud DNS service instead of cloudDNS service, so the above configuration is not possible (DNS01 challenge cannot be completed). However, the official support for DNS01 service providers such as ACMEDNS, Akamai, AzureDNS, CloudFlare, Google, Route53, DigitalOcean and RFC2136 does not include the Aliyun service provider we use. Fortunately, cert-manager supports Webhook to allow you to define your own DNS provider (these are out-of-tree DNS provider), and there is an open source AliDNS-Webhook for us to use (for usage, see the alidns-webhook/README.md at master page)

The first step is to deploy AliDNS-Webhook implementation

Combined with the AliDNS-Webhook documentation, the resource files we use and the deployment process are as follows:

. / 01-bundle.yaml

. / 02-alidns-secret.yaml

. / 03-letsencrypt-clusterissuer.yaml

. / 04-examplexyz-certificate.yaml

Note: 1). / 03-letsencrypt-clusterissuer.yaml 's groupName: is consistent with. / 01-bundle.yaml 's group: that is, modify it at the same time. The default is the acme.yourcompany.com parameter.

Kubectl apply-f. / 01-bundle.yamlkubectl apply-f. / 02-alidns-secret.yamlkubectl apply-f. / 03-letsencrypt-clusterissuer.yamlkubectl apply-f. / 04-examplexyz-certificate.yaml step 2, Check whether the certificate has been applied successfully # kubectl describe-n default certificates.cert-manager.io example-xyz...Status: Conditions: Last Transition Time: 2021-05-07T01:30:33Z Message: Certificate is up to date and has not expired Observed Generation: 1 Reason: Ready Status: True Type: Ready Not After: 2021-08-05T00:30:32Z Not Before: 2021-05-07T00:30:32Z Renewal Time: 2021-07-06T00:30:32Z Revision: 1Events: # kubectl get certificates.cert-manager.ioNAME READY SECRET AGEexample-xyz True example-xyz 2m// at this time Certificate request was successfully switched to Let's Encrypt production environment

After the certificate application is successful, there is one last thing: we are only completing the test of applying for a certificate in the Staging environment of Let's Encrypt, and we also need to switch to the Let's Encrypt production environment.

Modify the server of. / 03-letsencrypt-clusterissuer.yaml: request a real certificate for https://acme-v02.api.letsencrypt.org/directory to use the production environment.

Supplementary explanation

For more DNS service providers, refer to the cert-manager-webhook GitHub Topics page.

A summary of common errors. Is forbidden... Cannot create resource "alidns" in API group... At the cluster scope

Problem description:

Alidns.acme.example.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "acme.example.com" at the cluster scope

Cause analysis:. / 03-letsencrypt-clusterissuer.yaml groupName: not consistent with. / 01-bundle.yaml group: to be consistent

Solution: keep groupName: consistent with group:.

At this point, the study on "how to use cert-mananager to apply for TLS certificates in Kubernetes" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.