自签名证书一般用于服务间或内网访问使用,在公网访问会有不安全提示。

前提条件

  • k8s集群<1.19

  • cert-manager

  • ingress-nginx

方式一:使用自签名作为根证书(简单明了)

创建ClusterIssuer

1
2
3
4
5
6
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
   name: selfsigned
spec:
   selfSigned: {}

创建证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: selfsigned-test
  namespace: devops
  #namespace: cert-manager
spec:
  isCA: false
  dnsNames: # dns列表
  - sreok.cn
  commonName: "*.sreok.cn"
  secretName: selfsigned-cert-tls
  duration: 876000h
  renewBefore: 8760h
  subject:
    countries:
    - China
    localities:
    - NanJing
    organizations:
    - sreok
    organizationalUnits:
    - devops
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned # 与clusterissusr对应
    kind: ClusterIssuer
    group: cert-manager.io

检查证书状态,True即可使用

ingress配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-ingress
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    cert-manager.io/cluster-issuer: selfsigned
spec:
  ingressClassName: nginx
  tls:
    - secretName: selfsigned-test # 证书名,与certificate一致
      hosts:
        - example.com # 证书域名
  rules:
    - host: example.com # 访问域名
      http:
        paths:
          - path: /
            #pathType: ImplementationSpecific
            pathType: Prefix
            backend:
              service:
                name: demo # 服务名
                port:
                  number: 80 # 服务的端口号 service port,非pod port

方式二:使用CA生成链式证书(复杂、安全)

创建根证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# 创建根证书
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
# 创建CA
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: devops-ca
  # 如果要根据此CA创建ClusterIssuer(集群范围)必须在cert-manager命名空间
  namespace: cert-manager
spec:
  isCA: true
  commonName: "*.sreok.cn"
  secretName: devops-selfsigned-secret
  # 100年
  duration: 876000h
  # 1年时更新
  renewBefore: 8760h
  # 证书信息
  subject:
    countries:
    - China
    localities:
    - NanJing
    organizations:
    - sreok
    organizationalUnits:
    - devops
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
    group: cert-manager.io

颁发CA证书

1
2
3
4
5
6
7
8
9
# 基于CA创建ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: devops-issuer
spec:
  ca:
    secretName: devops-selfsigned-secret

基于CA颁发TLS证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: selfsigned-tls
  # ingress在哪个命名空间就写哪个
  namespace: devops
spec:
  # TLS证书需要禁止CA
  isCA: false
  usages:
    - server auth
    - client auth
  # dns必须设置
  dnsNames:
  - abc.sreok.cn
  # 名称需要和域名对应或包含域名
  commonName: "*.sreok.cn"
  # 最终TLS证书
  secretName: selfsigned-cert-tls
  # 100年有效期
  duration: 876000h
  # 有效期剩1年时更新
  renewBefore: 8760h
  # 证书信息
  subject:
    countries:
    - China
    localities:
    - NanJing
    organizations:
    - sreok
    organizationalUnits:
    - harbor
  privateKey:
    algorithm: ECDSA
    size: 256
  # issuer绑定到CA证书
  issuerRef:
    name: devops-issuer
    kind: ClusterIssuer
    group: cert-manager.io

Ingress配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: abc-ingress
spec:
  ingressClassName: nginx
  tls:
    - secretName: selfsigned-cert-tls # 证书名,与certificate一致
      hosts:
        - abc.sreok.cn # 证书域名
  rules:
    - host: abc.sreok.cn # 访问域名
      http:
        paths:
          - path: /
            #pathType: ImplementationSpecific
            pathType: Prefix
            backend:
              service:
                name: demo # 服务名
                port:
                  number: 80 # 服务的端口号 service port,非pod port

测试(Harbor平台开启TLS认证)

修改hosts文件,浏览器访问域名

系统颁发证书

Windows

复制ca.crt内容

1
echo "connect in ca.crt" | base64 -d

保存到电脑

MacOS

双击导入ca.crt

Linux

方法一:只更新TLS证书(简单)

将ca证书追加到以下文件

1
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

方法二:全部信任此证书

安装ca-certificates,一般系统是自带的

1
yum install ca-certificates

将证书放置以下目录

1
/etc/pki/ca-trust/source/anchors/

执行信任此证书

1
update-ca-trust

此操作会更新以下文件,而不是只是tls-ca-bundle.pem

1
2
3
4
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem

删除时在/etc/pki/ca-trust/source/anchors/文件中删掉对应的ca证书,重新执行update-ca-trust即可。

参考链接:SelfSigned - cert-manager Documentation