cert-manger vault K8S 证书管理

使用cert-manager和hashicorp vault 来管理集群的内部自签名SSL

前半部分会介绍一些原理性的内容，后半部分是环境中的实际应用。

正常的自签名证书流程如下：

 

使用cert-manager签名的证书流程

cert-manager 资源类型：
    ClusterIssuer: defined CAs that are able to signed certificate , that is ready condition for cert-manager
    cert-manager controller: handle certificate request and generate the secret corresponding to the certificate   
    certificate: define a desired X.509 certificate(tls.crt and tls.key) which will be renewed and kept up to date that is issued by cluster issuer.
    ca-injector: are used to configure how the Kubernetes API server connects to webhooks
    webhook: cert-manager makes use of extending the Kubernetes API server using a Webhook server to provide dynamic admission control over cert-manager resources

　　

 

根据官方文档解释： https://cert-manager.io/docs/concepts/certificate/#certificate-lifecycle

lifecycle解释了K8S内部证书到期是怎么进行renew的，下面的是我从官网粘贴出来的

 

 以上为一些原理性知识，下面是环境中实际使用的cert-manager和vault结合的案例

职责分配：

1. 使用hashicorp vault 作为签证书的issuer

2. 使用cer-manager部署在K8S集群中来定期监控证书有效期，状态，以及去vault进行签名

 

定义cluster issuer:

vmadmin@jumpbox:~$ kubectl get clusterissuer -n cert-manager
NAME           AGE
vault-issuer   512d

vmadmin@jumpbox:~$ kubectl get clusterissuer vault-issuer -n cert-manager -o yaml

apiVersion: certmanager.k8s.io/v1alpha1

kind: ClusterIssuer

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: |

      {"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"vault-issuer"},"spec":{"vault":{"auth":{"appRole":{"path":"approle","roleId":"64c3666d-7c2c-a689-753a-33891b3dfbd5","secretRef":{"key":"secretId","name":"cert-manager-vault-secret"}},"tokenSecretRef":{"name":""}},"caBundle":"LS0tLSo=","path":"pki_int/sign/12331","server":"https://vault.com.cn:8206"}}} 

  creationTimestamp: "2020-08-25T07:39:20Z" #server是vault的地址，在部署cert-manager之前，你需要现有一个vault server ，vault会提供一个pki系统来签证书

  generation: 3

  name: vault-issuer

  resourceVersion: "19875"

  selfLink: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/vault-issuer

  uid: 90f5e84a-e337-4fcd-9deb-f8811131fb0f

spec:

  vault:

    auth:

      appRole:

        path: approle

        roleId: 64c3666d-7c2c-a689-753a-33891b3dfbd5

        secretRef:

          key: secretId

          name: cert-manager-vault-secret

      tokenSecretRef:

        name: ""

    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR

    path: pki_int/sign/12331

    server: https://vault.com.cn:8206

status:

  conditions:

  - lastTransitionTime: "2020-08-25T08:14:25Z"

    message: Vault verified

    reason: VaultVerified

    status: "True"

    type: Ready

 

#certificate 定义了哪些secret需要被更新，其中包含一些配置下面的注释中会介绍

vmadmin@umpbox:~$ kubectl get certificate

NAME         READY   SECRET       AGE

abba         True    abba         39d

abba        True    abba          39d

 

vmadmin@umpbox:~$ kubectl get certificate tprt -o yaml

apiVersion: certmanager.k8s.io/v1alpha1

kind: Certificate

metadata:

  creationTimestamp: "2021-04-27T02:50:22Z"

  generation: 8

  name: tprt   #定义这个cert的名字

  namespace: default

  resourceVersion: "206213505"

  selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/tprt-87701-portal-val-tprt-service.nazgul.app

  uid: 01b7a632-79cc-4c07-b5b8-1211fe7c512d

spec:

  dnsNames:

  - tprt.com.cn #定义你想要生成出来的CN是什么 比如baidu.com也可以

  issuerRef:

    kind: ClusterIssuer #类型为cluster issuer ，这样可以不用区分namespace

    name: vault-issuer #这个是cluster issuer的名字

  keySize: 4096

  secretName: tprt-secret #生成出来的secret叫什么

status:

  conditions:

  - lastTransitionTime: "2021-06-23T03:23:56Z"

    message: Certificate is up to date and has not expired

    reason: Ready

    status: "True"

    type: Ready

  notAfter: "2022-03-20T03:24:02Z"

 

vmadmin@app-corebe-jumpbox:~$ kubectl get secret tprt-secret

NAME        TYPE                DATA   AGE

tprt-secret   kubernetes.io/tls   3      211d

 

　　

 至此，哪个pod需要绑定这个secret，就可以在deployment中进行配置。