How do I check the certificate status? | Как посмотреть состояние сертификата? |
console | console |
kubectl -n default describe certificate example-com … Status: Acme: Authorizations: Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/qJA9MGCZnUnVjAgxhoxONvDnKAsPatRILJ4n0lJ7MMY/4062050823 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: admin.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/pW2tFKLBDTll2Gx8UBqmEl846x5W-YpBs8a4HqstJK8/4062050808 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: www.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/LaZJMM9_OKcTYbEThjT3oLtwgpkNfbHVdl8Dz-yypx8/4062050792 Conditions: Last Transition Time: 2018-04-02T18:01:04Z Message: Certificate issued successfully Reason: CertIssueSuccess Status: True Type: Ready Events: Type Reason Age From Message —- —— —- —- ——- Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain www.example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain www.example.com Normal ObtainAuthorization 55s cert-manager-controller Obtained authorization for domain example.com Normal ObtainAuthorization 54s cert-manager-controller Obtained authorization for domain admin.example.com Normal ObtainAuthorization 53s cert-manager-controller Obtained authorization for domain www.example.com | kubectl -n default describe certificate example-com … Status: Acme: Authorizations: Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/qJA9MGCZnUnVjAgxhoxONvDnKAsPatRILJ4n0lJ7MMY/4062050823 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: admin.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/pW2tFKLBDTll2Gx8UBqmEl846x5W-YpBs8a4HqstJK8/4062050808 Account: https://acme-v01.api.letsencrypt.org/acme/reg/22442061 Domain: www.example.com Uri: https://acme-v01.api.letsencrypt.org/acme/challenge/LaZJMM9_OKcTYbEThjT3oLtwgpkNfbHVdl8Dz-yypx8/4062050792 Conditions: Last Transition Time: 2018-04-02T18:01:04Z Message: Certificate issued successfully Reason: CertIssueSuccess Status: True Type: Ready Events: Type Reason Age From Message —- —— —- —- ——- Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain www.example.com Normal PresentChallenge 1m cert-manager-controller Presenting http-01 challenge for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain admin.example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain example.com Normal SelfCheck 1m cert-manager-controller Performing self-check for domain www.example.com Normal ObtainAuthorization 55s cert-manager-controller Obtained authorization for domain example.com Normal ObtainAuthorization 54s cert-manager-controller Obtained authorization for domain admin.example.com Normal ObtainAuthorization 53s cert-manager-controller Obtained authorization for domain www.example.com |
How do I get a list of certificates? | Как получить список сертификатов? |
console | console |
kubectl get certificate –all-namespaces NAMESPACE NAME AGE default example-com 13m | kubectl get certificate –all-namespaces NAMESPACE NAME AGE default example-com 13m |
What types of certificates are supported? | Какие виды сертификатов поддерживаются? |
Currently, the module supports the following two ClusterIssuers:
| На данный момент модуль устанавливает два ClusterIssuer’а:
|
Does the legacy tls-acme annotation work? | Работает ли старая аннотация TLS-acme? |
Yes, it works! The dedicated component ( | Да, работает! Специальный компонент ( |
|
|
yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/tls-acme: “true” # here is the annotation! name: example-com namespace: default spec: ingressClassName: nginx rules:
| yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/tls-acme: “true” # Вот она, аннотация! name: example-com namespace: default spec: ingressClassName: nginx rules:
|
The “CAA record does not match issuer” error | Ошибка: CAA record does not match issuer |
Suppose | Если |
text CAA record does not match issuer | text CAA record does not match issuer |
In this case, you have to check the | то необходимо проверить |
Vault integration | Интеграция с Vault |
You can use this manual for configuring certificate issuance using Vault. | Вы можете использовать данную инструкцию для выпуска сертификатов с помощью Vault. |
After configuring PKI and enabling Kubernetes authorization, you have to:
| После конфигурации PKI и включения авторизации в Kubernetes, вам нужно:
|
shell kubectl create serviceaccount issuer ISSUER_SECRET_REF=$(kubectl get serviceaccount issuer -o json | jq -r “.secrets[].name”) | shell kubectl create serviceaccount issuer ISSUER_SECRET_REF=$(kubectl get serviceaccount issuer -o json | jq -r “.secrets[].name”) |
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: vault-issuer namespace: default spec: vault: HashiCorp instruction has mistype here server: http://vault.default.svc.cluster.local:8200 path: pki/sign/example-dot-com # configure in pki setup step auth: kubernetes: mountPath: /v1/auth/kubernetes role: issuer secretRef: name: $ISSUER_SECRET_REF key: token EOF | shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: vault-issuer namespace: default spec: vault: Если Vault разворачивался по вышеуказанной инструкции, в этом месте в инструкции опечатка. server: http://vault.default.svc.cluster.local:8200 Указывается на этапе конфигурации PKI. path: pki/sign/example-dot-com auth: kubernetes: mountPath: /v1/auth/kubernetes role: issuer secretRef: name: $ISSUER_SECRET_REF key: token EOF |
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: vault-issuer domains are set on PKI setup commonName: www.example.com dnsNames:
| shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: vault-issuer Домены указываются на этапе конфигурации PKI в Vault. commonName: www.example.com dnsNames:
|
How do I use a custom or interim CA to issue certificates? | Как использовать свой или промежуточный CA для заказа сертификатов? |
Follow the steps below to use a custom or interim CA: | Для использования собственного или промежуточного CA: |
|
|
shell openssl genrsa -out rootCAKey.pem 2048 openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem | shell openssl genrsa -out rootCAKey.pem 2048 openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem |
|
|
An example of creating a secret with kubectl: | Пример создания секрета с помощью команды kubectl: |
shell kubectl create secret tls internal-ca-key-pair -n d8-cert-manager –key=”rootCAKey.pem” –cert=”rootCACert.pem” | shell kubectl create secret tls internal-ca-key-pair -n d8-cert-manager –key=”rootCAKey.pem” –cert=”rootCACert.pem” |
An example of creating a secret from a YAML file (the contents of the certificate files must be Base64-encoded): | Пример создания секрета из YAML-файла (содержимое файлов сертификатов должно быть закодировано в Base64): |
yaml
apiVersion: v1
data:
tls.crt: <OUTPUT OF | yaml
apiVersion: v1
data:
tls.crt: <результат команды |
You can use any name you like for the secret. | Имя секрета может быть любым. |
|
|
yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: inter-ca spec: ca: secretName: internal-ca-key-pair # Name of the secret you created earlier. | yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: inter-ca spec: ca: secretName: internal-ca-key-pair # Имя созданного секрета. |
You can use any name as your ClusterIssuer name. | Имя ClusterIssuer также может быть любым. |
You can now use the created ClusterIssuer to issue certificates for all Deckhouse components or a particular component. | Теперь можно использовать созданный ClusterIssuer для получения сертификатов для всех компонентов Deckhouse или конкретного компонента. |
For example, to issue certificates for all Deckhouse components, specify the ClusterIssuer name in the clusterIssuerName global parameter ( | Например, чтобы использовать ClusterIssuer для получения сертификатов для всех компонентов Deckhouse, укажите его имя в глобальном параметре clusterIssuerName ( |
yaml
spec:
settings:
modules:
https:
certManager:
clusterIssuerName: inter-ca
mode: CertManager
publicDomainTemplate: ‘%s. | yaml
spec:
settings:
modules:
https:
certManager:
clusterIssuerName: inter-ca
mode: CertManager
publicDomainTemplate: ‘%s. |
How to secure cert-manager credentials? | Как защитить учетные данные cert-manager? |
If you don’t want to store credentials in the Deckhouse configuration (security reasons, for example), feel free to create your own ClusterIssuer / Issuer. For example, you can create your own ClusterIssuer for a route53 service in this way:
| Если вы не хотите хранить учетные данные конфигурации Deckhouse (например, по соображениям безопасности), можете создать свой собственный ClusterIssuer / Issuer. Например, вы можете создать свой ClusterIssuer для сервиса route53 следующим образом:
|
shell kubectl apply -f - «EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: route53 namespace: default data: secret-access-key: {{ “MY-AWS-ACCESS-KEY-TOKEN” | b64enc | quote }} EOF | shell kubectl apply -f - «EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: route53 namespace: default data: secret-access-key: {{ “MY-AWS-ACCESS-KEY-TOKEN” | b64enc | quote }} EOF |
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: route53 namespace: default spec: acme: server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: route53-tls-key solvers:
| shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: route53 namespace: default spec: acme: server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: route53-tls-key solvers:
|
|
|
shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: route53 commonName: www.example.com dnsNames:
| shell kubectl apply -f - «EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-tls issuerRef: name: route53 commonName: www.example.com dnsNames:
|