Как посмотреть состояние сертификата? | How do I check the certificate status? |
console | console |
kubectl -n default describe certificate example-com … Status: Acme: Authorizations: Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/qJA9MGCZnUnVjAgxhoxONvDnKAsPatRILJ4n0lJ7MMY/4062050823 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: admin.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/pW2tFKLBDTll2Gx8UBqmEl846x5W-YpBs8a4HqstJK8/4062050808 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: www.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/LaZJMM9_OKcTYbEThjT3oLtwgpkNfbHVdl8Dz-yypx8/4062050792 Conditions: Last Transition Time: 2018-04-02T18:01:04Z Message: Certificate issued successfully Reason: CertIssueSuccess Status: True Type: Ready Events: Type Reason Age From Message —- —— —- —- ——- Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain www.example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain www.example.com Normal ObtainAuthorization 55s cert-manager-controller Obtained authorization for domain example.com Normal ObtainAuthorization 54s cert-manager-controller Obtained authorization for domain admin.example.com Normal ObtainAuthorization 53s cert-manager-controller Obtained authorization for domain www.example.com | kubectl -n default describe certificate example-com … Status: Acme: Authorizations: Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/qJA9MGCZnUnVjAgxhoxONvDnKAsPatRILJ4n0lJ7MMY/4062050823 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: admin.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/pW2tFKLBDTll2Gx8UBqmEl846x5W-YpBs8a4HqstJK8/4062050808 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: www.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/LaZJMM9_OKcTYbEThjT3oLtwgpkNfbHVdl8Dz-yypx8/4062050792 Conditions: Last Transition Time: 2018-04-02T18:01:04Z Message: Certificate issued successfully Reason: CertIssueSuccess Status: True Type: Ready Events: Type Reason Age From Message —- —— —- —- ——- Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain www.example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain www.example.com Normal ObtainAuthorization 55s cert-manager-controller Obtained authorization for domain example.com Normal ObtainAuthorization 54s cert-manager-controller Obtained authorization for domain admin.example.com Normal ObtainAuthorization 53s cert-manager-controller Obtained authorization for domain www.example.com |
Как получить список сертификатов? | How do I get a list of certificates? |
console | console |
kubectl get certificate –all-namespaces NAMESPACE NAME AGE default example-com 13m | kubectl get certificate –all-namespaces NAMESPACE NAME AGE default example-com 13m |
Какие виды сертификатов поддерживаются? | What types of certificates are supported? |
На данный момент модуль устанавливает два ClusterIssuer’а:
| Currently, the module supports the following two ClusterIssuers:
|
Работает ли старая аннотация tls-acme? | Does the legacy tls-acme annotation work? |
Да, работает! Специальный компонент ( | Yes, it works! The dedicated component ( |
|
|
yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/tls-acme: “true” # вот она, аннотация! name: example-com namespace: default spec: ingressClassName: nginx rules:
| yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/tls-acme: “true” # here is the annotation! name: example-com namespace: default spec: ingressClassName: nginx rules:
|
Ошибка: CAA record does not match issuer | The “CAA record does not match issuer” error |
Если | Suppose |
text CAA record does not match issuer | text CAA record does not match issuer |
То необходимо проверить | In this case, you have to check the |
Интеграция с Vault | Vault integration |
Вы можете использовать данную инструкцию для выпуска сертификатов с помощью Vault. | You can use this manual for configuring certificate issuance using Vault. |
После конфигурации PKI и включения авторизации в Kubernetes, вам нужно:
| After configuring PKI and enabling Kubernetes authorization, you have to:
|
shell kubectl create serviceaccount issuer ISSUER_SECRET_REF=$(kubectl get serviceaccount issuer -o json | jq -r “.secrets[].name”) | shell kubectl create serviceaccount issuer ISSUER_SECRET_REF=$(kubectl get serviceaccount issuer -o json | jq -r “.secrets[].name”) |
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: vault-issuer namespace: default spec: vault: если Vault разворачивался по вышеуказанной инструкции, в это месте в инструкции опечатка server: http://vault.default.svc.cluster.local:8200 указывается на этапе конфигурации PKI path: pki/sign/example-dot-com auth: kubernetes: mountPath: /v1/auth/kubernetes role: issuer secretRef: name: $ISSUER_SECRET_REF key: token EOF | shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: vault-issuer namespace: default spec: vault: HashiCorp instruction has mistype here server: http://vault.default.svc.cluster.local:8200 path: pki/sign/example-dot-com # configure in pki setup step auth: kubernetes: mountPath: /v1/auth/kubernetes role: issuer secretRef: name: $ISSUER_SECRET_REF key: token EOF |
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: vault-issuer домены указываются на этапе конфигурации PKI в Vault commonName: www.example.com dnsNames:
| shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: vault-issuer domains are set on PKI setup commonName: www.example.com dnsNames:
|
Как защитить учетные данные cert-manager? | How to secure cert-manager credentials? |
Если вы не хотите хранить учетные данные конфигурации Deckhouse (например, по соображениям безопасности), вы можете создать свой собственный ClusterIssuer / Issuer. Например, вы можете создать свой ClusterIssuer для сервиса route53 следующим образом:
| If you don’t want to store credentials in the Deckhouse configuration (security reasons, for example), feel free to create your own ClusterIssuer / Issuer. For example, you can create your own ClusterIssuer for a route53 service in this way:
|
shell kubectl apply -f - «EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: route53 namespace: default data: secret-access-key: {{ “MY-AWS-ACCESS-KEY-TOKEN” | b64enc | quote }} EOF | shell kubectl apply -f - «EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: route53 namespace: default data: secret-access-key: {{ “MY-AWS-ACCESS-KEY-TOKEN” | b64enc | quote }} EOF |
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: route53 namespace: default spec: acme: server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: route53-tls-key solvers:
| shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: route53 namespace: default spec: acme: server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: route53-tls-key solvers:
|
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: route53 commonName: www.example.com dnsNames:
| shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: route53 commonName: www.example.com dnsNames:
|