K8s Intermediate – Cert-Manager +Let’s Encrypt Automatic certificate issuing

preface

The first thing that comes to mind when you think about free SSL certificates is Let’s Encrypt, and those of you who have used Let’s Encrypt know that it’s only valid for three months, and you have to renew it after that. There is a similar script on Github for automatic renewal. What about using the free certificate on K8S? This is where cert-Manager comes in handy.

The environment

Three hosts are HUAWEI ECS, CentOS Linux release 7.6.1810 (Core)

What is a cert – manager

Cert-manager is an open source project for cloud native certificate management. It is used to provide HTTPS certificates in Kubernetes cluster and automatically renew them. It supports the issuance of free certificates such as Let’s Encrypt and HashiCorp Vault. In a Kubernetes cluster, we can automate HTTPS for external services with Kubernetes Ingress and Let’s Encrypt.

To use HTTPS in Kubernetes cluster, you need a certificate manager, a certificate automatic issuing service, mainly through the Ingress to publish HTTPS services, so you need to configure the Ingress Controller, enable HTTPS and its routing.

• Issuer/ClusterIssuer: indicates how cert-Manager issues certificates. This article mainly explains the ACME method of issuing free certificates. The only difference between ClusterIssuer and Issuer is that Issuer can only be used to issue certificates of its own namespace. ClusterIssuer can issue certificates of any namespace.
• Certificate: the Certificate that tells cert-manager what domain name we want and some configuration required to issue the Certificate, including references to Issuer/ClusterIssuer.

Install the cert – manager

Installation Method 1

1. Add the Jestack Helm repository

   helm repo add jetstack https://charts.jetstack.io
   Copy the code

2. Local warehouse search

   helm search repo cert-manager
   Copy the code

3. Creating a namespace

   kubectl create namespace cert-manager
   Copy the code

4. Start the installation

   Helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --version v1.1.0 \ --set installCRDs=true If you want to enable ClusterIssuer, you will get an error when creating ClusterIssuerCopy the code

   There may be a pit where the image fails to be pulled and the pod creation fails. You can download the image in advance – all worker nodes

   #Note the version numberIO /jetstack/cert-manager-controller:v1.1.0 Docker pull quay. IO /jetstack/cert-manager-controller:v1.1.0 Docker quay. IO/jetstack/cert - manager - webhook: v1.1.0Copy the code

5. Viewing the Installation

   kubectl get pods -n cert-manager -w
   Copy the code

   IO /jetstack/cert-manager-controller:v1.1.0 Docker pull quay. IO /jetstack/cert-manager-controller:v1.1.0 Docker quay. IO/jetstack/cert - manager - webhook: v1.1.0Copy the code

   

   

6. Unload (on demand)

   helm uninstall cert-manager -n cert-manager
   Copy the code

7. Deleting namespaces (on demand)

   kubectl delete ns cert-manager
   Copy the code

Installation Method 2

• Install the cert – manager

  #Kubernetes 1.16 +
  $Kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
  
  #Kubernetes < 1.16
  $ kubectl apply --validate=falseThe -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager-legacy.yaml
  Copy the code

• Install CRDS – Otherwise create ClusterIssuer error

  #Kubernetes 1.15 +
  $Kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.crds.yaml
  
  #Kubernetes < 1.15
  $ kubectl apply --validate=falseThe -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager-legacy.crds.yaml
  Copy the code

Cert-manager Use case

1. Create a cluster-level issuing authority

   #configuration
   cat <<EOF >  cluster-issuer.yaml
   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
     name: letsencrypt-prod
   spec:
     acme:
       server: https://acme-v02.api.letsencrypt.org/directory
       email: [email protected]
       privateKeySecretRef:
         name: letsencrypt-prod
       solvers:    
       - http01:
           ingress:
             class: nginx
   EOF
   Copy the code

   Description:

   • Metadata. name is the name of the issuing authority that we create and will reference when we create the certificate later
   • Spec.acme. Email is your own email address. When the certificate is about to expire, there will be an email notification
   • Spec.acme. Server is the acME server. Let’s Encrypt
   • Spec. Acme. PrivateKeySecretRef instructions issued by the institution which Secret private key will be stored in the object, the name is not important
   • Spec.acme. Http01 Indicates that the issuing authority uses HTTP-01 for THE ACME protocol (or DNS, the purpose of the ACME protocol is to prove that the machine and domain name belong to you before granting you the certificate).

   #Execute issue command
   kubectl apply -f cluster-issuer.yaml
   Copy the code

2. Add A record – The record value is any worker node in the cluster, here is Ali Cloud

   

3. Create a namespace

   kubectl create ns mldong-test
   Copy the code

4. Creating a certificate

   #configuration
   cat <<EOF >  b-cert.yaml
   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: b.mldong.com-tls
     namespace: mldong-test
   spec:
     secretName: b.mldong.com-tls
     issuerRef:
       name: letsencrypt-prod
       kind: ClusterIssuer
     dnsNames:
     - b.mldong.com
   EOF
   Copy the code

   Description:

   • Spec.secretname indicates which Secret the certificate ends up in
   • If spec.issuerRef.kind is ClusterIssuer, it indicates that the issuing authority is global and not in the namespace
   • Spec. IssuerRef. Name we create the name of the issuing institution (ClusterIssuer. Metadata. Name)
   • Spec.dnsnames indicates which domain names the certificate can be used for, consistent with domain name resolution

5. Open another terminal to view the cert-Manager run logs

   kubectl logs -f $(kubectl get pods -n cert-manager | grep cert-manager | grep -v 'cainjector\|webhook' | awk '{print $1}') -n cert-manager
   Copy the code

6. Of course, you can also see the operation of the temporary Ingress object that was created specifically to validate the certificate

   kubectl get pods -n mldong-test -w
   Copy the code

   Creation to death of the temporary object Cm-acme-http-solver-xxxx

   

7. Execute issue command

   kubectl apply -f b-cert.yaml
   Copy the code

8. View the certificate creation result

   [root@mldong cert-manager]# kubectl get certificate -n mldong-test
   NAME               READY   SECRET             AGE
   b.mldong.com-tls   True    b.mldong.com-tls   2m27s
   Copy the code

   Success is achieved when READY is True. For details, see the cert-Manager run log.

Publish an Nginx service

Nginx has been installed in the ali warehouse, I can search

1. Search for nginx in a local repository

   helm search repo nginx
   Copy the code

   

2. View the nginx configuration notes

   helm show values aliyuncs/nginx
   Copy the code

   See detailed configuration instructions: https://github.com/bitnami/charts/tree/master/bitnami/nginx/

3. Create a values.yaml configuration

   cat <<EOF >  nginx-values.yaml
   ingress: 
     enabled: true
     hostname: b.mldong.com
     tls:
       - hosts:
         - b.mldong.com
         secretName: b.mldong.com-tls
   EOF
   Copy the code

   Note that the secertName is the same as the certificate generated above

4. Install nginx

   helm install nginx aliyuncs/nginx -f nginx-values.yaml -n mldong-test 
   Copy the code

5. Viewing the Deployment

   kubectl get svc --namespace mldong-test -w nginx
   Copy the code

6. We can also check out the ingress details

   kubectl get ingress nginx -o yaml -n mldong-test
   Copy the code

   

7. Browser Access Effect

   

8. Deleting nginx (on demand)

   helm uninstall nginx -n mldong-test
   Copy the code

summary

Is it convenient to use cert-Manager to manage HTTPS certificates? When you create the certificate for the first time, it will be automatically managed by cert-Manager. Here’s a quick summary of the process.

• Create a cluster-level issuer -ClusterIssuer- This is required only for the first time
• Add a domain name resolution record – pointing to any worker node in the cluster
• Generate certificate based on the resolved domain name
• Release application
  • Release Pod
  • Publishing Service
  • Publish Ingress- here configure TLS certificate, pointing to certificate

Related articles

K8s Intermediate – Installing a K8S cluster using RKE

K8s Intermediate -Helm installation and Introduction

K8s Intermediate -Helm Install nfs-client-provisioner