随着云计算和微服务架构的兴起,Kubernetes已成为众多企业和开发者的首选容器编排平台。在享受其带来的灵活性与扩展性的同时,确保应用之间的通信安全变得尤为重要。TLS(传输层安全)协议是保护数据传输的关键技术之一,但手动管理TLS证书往往复杂且容易出错。为此,Jetstack推出了开源项目cert-manager,它旨在简化Kubernetes环境中TLS证书的申请、更新及管理过程。本文将引导您完成cert-manager的安装,并介绍基本配置方法。
cert-manager架构图
安装 Helm 版本 3 或更高版本。
安装受支持的 Kubernetes 。
| 版本号 | 生命周期结束 | Kubernetes支持版本 |
| 1.15 | Release of 1.17 | 1.25 → 1.31 |
| 1.14 | Release of 1.16 | 1.24 → 1.31 |
| 1.12 LTS | May 19, 2025 | 1.22 → 1.31 |
1、添加 Helm 存储库
$ helm repo add jetstack https://charts.jetstack.io --force-update
"jetstack" has been added to your repositories
2、下载1.12版本并推送到harbor仓库
# 下载chart包
$ helm pull jetstack/cert-manager --version v1.12.13
# 推送到harbor仓库上
$ helm push cert-manager-v1.12.13.tgz oci://core.jiaxzeng.com/plugins
Pushed: core.jiaxzeng.com/plugins/cert-manager:v1.12.13
Digest: sha256:b4c7cc94bfa93d28c3461d7dbb9a8112c61e5c78bc4b09edc5499b5a5b22e634
Tip:该步骤在有通公网主机的节点操作。正常kubernetes集群处于内网中,不配有通公网的。
3、kuberntes节点下载chart包
$ sudo helm pull oci://core.jiaxzeng.com/plugins/cert-manager --version v1.12.13 --untar --untardir /etc/kubernetes/addons/
Pulled: core.jiaxzeng.com/plugins/cert-manager:v1.12.13
Digest: sha256:b4c7cc94bfa93d28c3461d7dbb9a8112c61e5c78bc4b09edc5499b5a5b22e634
4、安装cert-manager配置文件
$ cat <<'EOF' | sudo tee /etc/kubernetes/addons/cert-manager-value.yml > /dev/null
global:
leaderElection:
namespace: "kube-system"
installCRDs: true
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-controller
tag: v1.12.13
http_proxy: "http://172.139.20.170:3888"
https_proxy: "https://172.139.20.170:3888"
no_proxy: "127.0.0.1,localhost,172.139.20.0/24,10.96.0.0/16,10.244.0.0/16"
startupapicheck:
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-ctl
tag: v1.12.13
webhook:
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-webhook
tag: v1.12.13
cainjector:
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-cainjector
tag: v1.12.13
EOF
5、安装cert-manager
$ helm -n kube-system install cert-manager -f /etc/kubernetes/addons/cert-manager-value.yml /etc/kubernetes/addons/cert-manager
NAME: cert-manager
LAST DEPLOYED: Thu Sep 26 23:23:09 2024
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.12.13 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
https://cert-manager.io/docs/releases/
https://cert-manager.io/docs/installation/helm/
通过遵循以上步骤,您现在已经成功地在自己的Kubernetes集群上安装并配置了cert-manager。这不仅意味着您可以更加高效地管理TLS证书,还能够显著提高整个系统的安全性。
别忘了,关注我们的公众号,获取更多关于容器技术和云原生领域的深度洞察和技术实战,让我们携手在技术的海洋中乘风破浪!
文章转载自Linux运维智行录,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
