暂无图片
暂无图片
暂无图片
暂无图片
暂无图片
首页 / 这就是k8s系列之六(cert-manager升级)

这就是k8s系列之六(cert-manager升级)

埋头过坎 2020-12-02
2746

    前面k8s系列之一介绍ingress-nginx, 提到了采用kubespary安装的datalab k8s集群的ingress-nginx版本有些低, 在研究cert-manager时发现了同样的问题, 最新的cert-manager是稳定版本的(GA、mature), 官方介绍这是过去3年来的大成就, 新版本主要有下面几大特性:

  1. API版本升级, 之前是v1alpha2, 现在是v1

  2. 提供了kubectl插件 cert-manager, 提供了丰富的辅助功能

  3. 日志方面的改善

  4. ACME方面的改善

    看官方的介绍,后续v1.x是主要的趋势, 就把当前的集群v0.16.1版本的cert-manager进行升级了,下面介绍具体过程。

    根据官方文档介绍, v0.16到v1.0没有直接的升级方式, 需要先删除原来的安装, 再安装新的。 之前相关的cert-manager服务如下:

    [root@host01 ~]# kubectl get all -n cert-manager
    NAME                                          READY   STATUS    RESTARTS   AGE
    pod/cert-manager-cainjector-fc6c787db-cjtgx   1/1     Running   0          47h
    pod/cert-manager-d994d94d7-ptqvj              1/1     Running   0          47h
    pod/cert-manager-webhook-845d9df8bf-fls2v     1/1     Running   0          47h


    NAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
    service/cert-manager           ClusterIP   ip01   <none>        9402/TCP   47h
    service/cert-manager-webhook   ClusterIP   ip02  <none>        443/TCP    47h


    NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/cert-manager              1/1     1            1           47h
    deployment.apps/cert-manager-cainjector   1/1     1            1           47h
    deployment.apps/cert-manager-webhook      1/1     1            1           47h


    NAME                                                DESIRED   CURRENT   READY   AGE
    replicaset.apps/cert-manager-cainjector-fc6c787db   1         1         1       47h
    replicaset.apps/cert-manager-d994d94d7              1         1         1       47h
    replicaset.apps/cert-manager-webhook-845d9df8bf     1         1         1       47h

    通过kubectl describe pod cert-manager-xx , 确认当前安装的版本为v0.16.1, 这次删除安装不再采用上一篇文章删除namespace及其它资源的方式,而是直接通过delete -f 资源定义文件 (即apply的相反过程)来完成,如下:



      [root@host01 ~]# kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.16.1/cert-manager.yaml
      Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
      customresourcedefinition.apiextensions.k8s.io "certificaterequests.cert-manager.io" deleted
      customresourcedefinition.apiextensions.k8s.io "certificates.cert-manager.io" deleted
      customresourcedefinition.apiextensions.k8s.io "challenges.acme.cert-manager.io" deleted
      customresourcedefinition.apiextensions.k8s.io "clusterissuers.cert-manager.io" deleted
      customresourcedefinition.apiextensions.k8s.io "issuers.cert-manager.io" deleted
      customresourcedefinition.apiextensions.k8s.io "orders.acme.cert-manager.io" deleted
      namespace "cert-manager" deleted
      serviceaccount "cert-manager-cainjector" deleted
      serviceaccount "cert-manager" deleted
      serviceaccount "cert-manager-webhook" deleted
      Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
      clusterrole.rbac.authorization.k8s.io "cert-manager-cainjector" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-controller-issuers" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-controller-clusterissuers" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-controller-certificates" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-controller-orders" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-controller-challenges" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-controller-ingress-shim" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-view" deleted
      clusterrole.rbac.authorization.k8s.io "cert-manager-edit" deleted
      Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-cainjector" deleted
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-issuers" deleted
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-clusterissuers" deleted
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-certificates" deleted
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-orders" deleted
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-challenges" deleted
      clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-ingress-shim" deleted
      Warning: rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
      role.rbac.authorization.k8s.io "cert-manager-cainjector:leaderelection" deleted
      role.rbac.authorization.k8s.io "cert-manager:leaderelection" deleted
      role.rbac.authorization.k8s.io "cert-manager-webhook:dynamic-serving" deleted
      Warning: rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
      rolebinding.rbac.authorization.k8s.io "cert-manager-cainjector:leaderelection" deleted
      rolebinding.rbac.authorization.k8s.io "cert-manager:leaderelection" deleted
      rolebinding.rbac.authorization.k8s.io "cert-manager-webhook:dynamic-serving" deleted
      service "cert-manager" deleted
      service "cert-manager-webhook" deleted
      deployment.apps "cert-manager-cainjector" deleted
      deployment.apps "cert-manager" deleted
      deployment.apps "cert-manager-webhook" deleted
      Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
      mutatingwebhookconfiguration.admissionregistration.k8s.io "cert-manager-webhook" deleted
      Warning: admissionregistration.k8s.io/v1beta1 ValidatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration
      validatingwebhookconfiguration.admissionregistration.k8s.io "cert-manager-webhook" deleted

          可以看到cert-manager相关的资源非常多。 下面安装最新版本的v1.1.0:

        [root@host01 ~]# kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
        customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
        customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
        customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
        customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
        customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
        customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
        namespace/cert-manager created
        serviceaccount/cert-manager-cainjector created
        serviceaccount/cert-manager created
        serviceaccount/cert-manager-webhook created
        clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
        clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
        clusterrole.rbac.authorization.k8s.io/cert-manager-view created
        clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
        clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
        role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
        role.rbac.authorization.k8s.io/cert-manager:leaderelection created
        role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
        rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
        rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
        rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
        service/cert-manager created
        service/cert-manager-webhook created
        deployment.apps/cert-manager-cainjector created
        deployment.apps/cert-manager created
        deployment.apps/cert-manager-webhook created
        mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
        validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
        [root@host01 ~]# 
        # 查看已经安装的资源
        [root@host01 ~]# kubectl get all -n cert-manager
        NAME                                          READY   STATUS    RESTARTS   AGE
        pod/cert-manager-5597cff495-phdjj             1/1     Running   0          67s
        pod/cert-manager-cainjector-bd5f9c764-csvgm   1/1     Running   0          67s
        pod/cert-manager-webhook-5f57f59fbc-dqq54     1/1     Running   0          67s


        NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
        service/cert-manager           ClusterIP   ip01   <none>        9402/TCP   67s
        service/cert-manager-webhook   ClusterIP   ip02   <none>        443/TCP    67s


        NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
        deployment.apps/cert-manager              1/1     1            1           67s
        deployment.apps/cert-manager-cainjector   1/1     1            1           67s
        deployment.apps/cert-manager-webhook      1/1     1            1           67s


        NAME                                                DESIRED   CURRENT   READY   AGE
        replicaset.apps/cert-manager-5597cff495             1         1         1       67s
        replicaset.apps/cert-manager-cainjector-bd5f9c764   1         1         1       67s
        replicaset.apps/cert-manager-webhook-5f57f59fbc     1         1         1       67s
        # 查看pod详情
        [root@host01 ~]# kubectl describe  -n cert-manager pod cert-manager-5597cff495-phdjj 
        Name:         cert-manager-5597cff495-phdjj
        Namespace:    cert-manager
        ......
        docker://bd819732bd9bb835b70d3954a425a407e38f147e66ed308b697bc80f8da88914
            Image:         quay.io/jetstack/cert-manager-controller:v1.1.0
        ......

            可以看到安装成功了, cert-manager名字空间下的资源跟v0.16.1版本是一样的, 而cert-manager的描述中发现已经升级到了最新的v1.1.0版本。

            采用官方提供的例子验证创建issuer、certificate的功能,如下:

          [root@host01 ~]# 
          cat <<EOF > test-resources.yaml
          apiVersion: v1
          kind: Namespace
          metadata:
            name: cert-manager-test
          ---
          apiVersion: cert-manager.io/v1
          kind: Issuer
          metadata:
            name: test-selfsigned
            namespace: cert-manager-test
          spec:
            selfSigned: {}
          ---
          apiVersion: cert-manager.io/v1
          kind: Certificate
          metadata:
            name: selfsigned-cert
            namespace: cert-manager-test
          spec:
            dnsNames:
              - example.com
            secretName: selfsigned-cert-tls
            issuerRef:
              name: test-selfsigned
          EOF
          # 创建isuuer及cert
          [root@host01 ~]# kubectl apply -f test-resources.yaml
          namespace/cert-manager-test created
          issuer.cert-manager.io/test-selfsigned created
          certificate.cert-manager.io/selfsigned-cert created
          [root@host01 ~]# 


          # 查看证书是否颁发成功
          [root@host01 ~]# kubectl describe certificate -n cert-manager-test
          Name:         selfsigned-cert
          Namespace:    cert-manager-test
          ... ...
          Events:
            Type    Reason     Age                From          Message
            ----    ------     ----               ----          -------
            Normal  Issuing    48s                cert-manager  Issuing certificate as Secret does not exist
            Normal  Generated  47s                cert-manager  Stored new private key in temporary Secret resource "selfsigned-cert-6vzw9"
            Normal  Requested  47s                cert-manager  Created new CertificateRequest resource "selfsigned-cert-kr86d"
            Normal  Generated  46s (x2 over 47s)  cert-manager  Stored new private key in temporary Secret resource "selfsigned-cert-vz2mm"
            Normal  Requested  46s                cert-manager  Created new CertificateRequest resource "selfsigned-cert-pz6mj"
            Normal  Issuing    36s                cert-manager  The certificate has been successfully issued

              可以看到用定义的issuer发布certifcation成功了。


              下面简单介绍一下kubectl cert-manger的安装过程,直接从官方下载后放置到可执行的路径即可:

            [root@host01 cert-manager]# curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/download/v1.1.0/kubectl-cert_manager-linux-amd64.tar.gz


            [root@host01 cert-manager]# tar xzf kubectl-cert-manager.tar.gz
            [root@host01 cert-manager]# mv kubectl-cert_manager usr/local/bin
            [root@host01 cert-manager]# kubectl cert-manager help


            kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes


            Usage:
              kubectl cert-manager [command]


            Available Commands:
              convert     Convert cert-manager config files between different API versions
              create      Create cert-manager resources
              help        Help about any command
              renew       Mark a Certificate for manual renewal
              status      Get details on current status of cert-manager resources
              version     Print the kubectl cert-manager version

                 通过help命令可以看到提供了不少功能,包括跨API版本的配置文件转换、创建相关资源、重新生成证书、查看资源状态等功能。 下面是一个将配置文件从v1alpha2置换到v1的示例:

              kubectl cert-manager convert -f cluster-issuer-staging.yaml  -o  yaml > cluster-issuer-staging-v1.1.0.yaml


              [root@host01 cert-manager]# cat cluster-issuer-staging.yaml 
              apiVersion: cert-manager.io/v1alpha2
              kind: ClusterIssuer
              metadata:
                name: letsencrypt-staging
              spec:
                acme:
                    email: xxx
                    server: https://acme-staging-v02.api.letsencrypt.org/directory
                    privateKeySecretRef:
                      name: letsencrypt-staging
                    solvers:
                    - http01:
                        ingress:
                          class: nginx


              [root@host01 cert-manager]# cat acme-v1.1.0.yaml 
              apiVersion: cert-manager.io/v1
              kind: ClusterIssuer
              metadata:
                name: letsencrypt-staging
              spec:
                acme:
                  # You must replace this email address with your own.
                  # Let's Encrypt will use this to contact you about expiring
                  # certificates, and issues related to your account.
                  email: xxx
                  server: https://acme-staging-v02.api.letsencrypt.org/directory
                  privateKeySecretRef:
                    # Secret resource that will be used to store the account's private key.
                    name: letsencrypt-staging
                  # Add a single challenge solver, HTTP01 using nginx
                  solvers:
                  - http01:
                      ingress:
                        class: nginx
              [root@host01 cert-manager]#

                  后面文章将介绍结合letsencrypt自动生成证书的过程。

              数据库
              文章转载自埋头过坎,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。

              评论