kubernetes 에서 ingress 상에서 https를 서비스하는데 지원을 해주는 모듈이다.
cert manager 설치
kubectl create namespace cert-managerkubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager.yaml
or
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.13.1/deploy/manifests/00-crds.yamlkubectl create namespace cert-managerhelm repo add jetstack https://charts.jetstack.iohelm repo update
# Helm v3+helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --version v0.13.1
# Helm v2helm install \ --name cert-manager \ --namespace cert-manager \ --version v0.13.1 \ jetstack/cert-manager설치 확인
kubectl get pods --namespace cert-managercert manager issuser example
apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: letsencrypt-stagingspec: acme: # The ACME server URL server: https://acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: YOUR_EMAIL # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-staging # Enable the HTTP-01 challenge provider solvers: # An empty 'selector' means that this solver matches all domains - selector: {} http01: ingress: class: nginx
---apiVersion: cert-manager.io/v1alpha2kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: YOUR_EMAIL # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod # Enable the HTTP-01 challenge provider solvers: - http01: ingress: class: nginxkubernetes-dashboard에 적용
kind: IngressapiVersion: extensions/v1beta1metadata: name: kubernetes-dashboard namespace: kubernetes-dashboard labels: app: kubernetes-dashboard annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: "letsencrypt-staging" nginx.ingress.kubernetes.io/backend-protocol: HTTPSspec: tls: - hosts: - YOUR_DOMAIN secretName: www-test-com-tls rules: - host: YOUR_DOMAIN http: paths: - path: / backend: serviceName: kubernetes-dashboard servicePort: 443status: loadBalancer: ingress: - {}- 발급 테스트가 완료되면
cert-manager.io/cluster-issuer: "letsencrypt-staging"cert-manager.io/cluster-issuer: "letsencrypt-prod"
- 로 바꾸어 실제 인증서를 발급 받는다.
확인
Normal Issued <invalid> cert-manager Certificate issued successfully가 뜨면 성공이다.
[root@kube1 11]# kubectl describe certificate -n nginx-ingressName: www.test.comNamespace: nginx-ingressLabels: <none>Annotations: <none>API Version: cert-manager.io/v1alpha2Kind: CertificateMetadata: Creation Timestamp: 2020-03-13T06:02:23Z Generation: 1 Owner References: API Version: extensions/v1beta1 Block Owner Deletion: true Controller: true Kind: Ingress Name: www.test.com UID: a7d05229-a8cb-405a-80f7-424b0d00a71b Resource Version: 44540390 Self Link: /apis/cert-manager.io/v1alpha2/namespaces/nginx-ingress/certificates/$$$$$$$$$ UID: 2e762fbc-2111-4b72-ae75-319f8d018be9Spec: Dns Names: www.test.com Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: letsencrypt-prod Secret Name: ###########Status: Conditions: Last Transition Time: 2020-03-13T06:03:27Z Message: Certificate is up to date and has not expired Reason: Ready Status: True Type: Ready Not After: 2020-06-11T05:03:26ZEvents: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Requested 52s cert-manager Created new CertificateRequest resource "cgitlab-p-exem-xyz-3450475095" Normal Issued <invalid> cert-manager Certificate issued successfully참고
관련글authSecurity Context for a Pod or ContainerauthToken Webhook with Guard실습10 most common mistakes using kubernetes실습End user RBAC실습K8s를 위한 SpringBoot 개발실습kubectl context
