Skip to main content

cert-manager


Installation

helm repo add jetstack https://charts.jetstack.io \
&& helm repo update
mkdir -p cert-manager/cert-manager/base
helm search repo cert-manager -l
helm show values jetstack/cert-manager \
--version v1.6.1 \
> cert-manager/cert-manager/base/values.yaml
cert-manager/cert-manager/base/values.yaml
# ...

installCRDs: true
# ...
helm upgrade cert-manager jetstack/cert-manager \
--install \
--version v1.6.1 \
-f cert-manager/cert-manager/base/values.yaml
helm get manifest cert-manager \
> cert-manager/cert-manager/base/manifest.yaml
kubectl get pod -l app.kubernetes.io/instance=cert-manager -w

selfSigned

Let's Encrypt

HTTP-01 challenge

인증을 μ‹œμž‘ν•˜λ©΄ <path>와 <token>을 λ°œν–‰ν•΄ μ£ΌλŠ”λ°, http://<domain>/.well-known/acme-challenge/<path>에 μ ‘μ†ν–ˆμ„ λ•Œ <token>을 λ°˜ν™˜ν•˜λ„λ‘ ν•˜μ—¬ μ„œλ²„λ₯Ό μ œμ–΄ν•  수 μžˆμŒμ„ 증λͺ…ν•˜λ©΄ μΈμ¦μ„œκ°€ λ°œκΈ‰λ©λ‹ˆλ‹€. 80 포트만 μ‚¬μš© κ°€λŠ₯ν•˜λ©° μ™€μΌλ“œμΉ΄λ“œ("*".<domain>)λ₯Ό μ‚¬μš©ν•  수 μ—†μŠ΅λ‹ˆλ‹€.

DNS-01 challenge

인증을 μ‹œμž‘ν•˜λ©΄ <token>을 λ°œν–‰ν•΄ μ£ΌλŠ”λ°, _acme-challenge.<domain> TXT λ ˆμ½”λ“œμ— λ„£μ–΄ DNSλ₯Ό μ œμ–΄ν•  수 μžˆμŒμ„ 증λͺ…ν•˜λ©΄ μΈμ¦μ„œκ°€ λ°œκΈ‰λ©λ‹ˆλ‹€. DNS 제곡 μ—…μ²΄μ—μ„œ μžλ™μœΌλ‘œ DNSλ₯Ό μ—…λ°μ΄νŠΈ ν•  수 μžˆλ„λ‘ APIλ₯Ό μ œκ³΅ν•΄μ£ΌλŠ” 경우 μ’‹μŠ΅λ‹ˆλ‹€. 였래된 TXT λ ˆμ½”λ“œλŠ” μ‚­μ œν•΄μ£ΌλŠ” 것이 μ’‹μŠ΅λ‹ˆλ‹€.

Cloudflare

API tokenκ³Ό API keyλ₯Ό μ‚¬μš©ν•œ 방법이 μžˆλŠ”λ°, μ—¬κΈ°μ„œλŠ” API token만 ν…ŒμŠ€νŠΈ ν•΄λ³΄κ² μŠ΅λ‹ˆλ‹€.

My Profile -> API Tokens -> Create Token μ—μ„œ Edit zone DNS ν…œν”Œλ¦Ώ 을 μ‚¬μš©ν•˜μ—¬ 토큰을 μƒμ„±ν•©λ‹ˆλ‹€. μ˜ˆμ‹œλ‘œ μ•„λž˜μ™€ 같이 μ„€μ •ν–ˆμŠ΅λ‹ˆλ‹€.

  • Permissions
    • Zone, DNS, Edit
    • Zone, Zone, Read
  • Zone
    • Include, Specific zone, <domain>
  • Client IP Address Filtering
    • None
  • TTL
    • None

μƒμ„±ν•˜λ©΄ 토큰과 ν•¨κ»˜ ν…ŒμŠ€νŠΈ μ½”λ“œλ₯Ό μ€λ‹ˆλ‹€.

mkdir -p letsencrypt/base
letsencrypt/base/cloudflare-api-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
type: Opaque
stringData:
api-token: # token
letsencrypt/base/letsencrypt-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: # email
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- # "domain"
dns01:
cloudflare:
email: # cloudflare email
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
letsencrypt/base/ingress-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress-cert
namespace: istio-system
spec:
secretName: ingress-cert
duration: 2160h # 90d
renewBefore: 360h # 15d
dnsNames:
- # "*.sub.domain"
- # "sub.domain"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
letsencrypt/base/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cloudflare-api-token-secret.yaml
- letsencrypt-prod.yaml
- ingress-cert.yaml
letsencrypt
└── base/
β”œβ”€β”€ cloudflare-api-token-secret.yaml
β”œβ”€β”€ ingress-cert.yaml
β”œβ”€β”€ kustomization.yaml
└── letsencrypt-prod.yaml
kustomize build letsencrypt/base | kubectl apply -f -

Certificate을 μƒμ„±ν•˜λŠ” μˆœκ°„ 인증을 μ‹œμž‘ν•©λ‹ˆλ‹€.

kubectl describe clusterissuers.cert-manager.io letsencrypt-prod
kubectl get certificates.cert-manager.io -n istio-system ingress-cert
warning

이 λ‹€μŒ μˆœμ„œλŠ” 인증에 μ‹€νŒ¨λ₯Ό ν•˜λŠ” 경우 체크 ν•΄λ³Ό 수 μžˆλŠ” μ ˆμ°¨μž…λ‹ˆλ‹€. 무쑰건 싀행해보기 보단 Status, Eventsλ₯Ό 잘 μ½μ–΄λ³΄λ©΄μ„œ μ μ ˆν•œ λͺ…λ Ήμ–΄λ₯Ό μ‹€ν–‰μ‹œμΌœμ„œ 디버깅 ν•΄μ•Όν•©λ‹ˆλ‹€.

kubectl describe certificates.cert-manager.io -n istio-system ingress-cert
kubectl describe certificaterequests.cert-manager.io -n istio-system <name>
kubectl logs cert-manager-

Reference