是否可以在多个 K8S 集群中使用通过 cert-manager (Lets Encrypt) 生成的通配符证书
[英]Is it possible to use a wildcard certificate generated via cert-manager (Lets Encrypt) in multiple K8S clusters
问题描述
I would be using different subdomains for different services, but those services would reside in different K8S clusters.
我将为不同的服务使用不同的子域,但这些服务将驻留在不同的 K8S 集群中。 I would like to know if I can just copy the wildcard certificate across the clusters.我想知道是否可以跨集群复制通配符证书。 Also, if there is a similar example somewhere please link me to it.另外,如果某处有类似的例子,请将我链接到它。 Any help would be appreciated.任何帮助,将不胜感激。
2 个解决方案
解决方案1
0 2018-07-19 10:30:25
So there is no native handling of multiple clusters in cert-manager.所以在 cert-manager 中没有本地处理多个集群。
That said, there is nothing to stop you copying across the resulting 'Secret' resource between clusters, either manually or automatically.也就是说,没有什么可以阻止您在集群之间手动或自动复制生成的“秘密”资源。
The 'kubed' project (by appscode) has support for syncing Secrets between clusters: https://github.com/appscode/kubed . 'kubed' 项目(通过 appscode)支持在集群之间同步 Secrets: https : //github.com/appscode/kubed 。 Full information can be found on their website: https://appscode.com/products/kubed/0.8.0/guides/config-syncer/inter-cluster/完整信息可以在他们的网站上找到: https : //appscode.com/products/kubed/0.8.0/guides/config-syncer/inter-cluster/
I hope this helps!我希望这有帮助!
解决方案2
0 2021-07-21 20:30:32
i know, i am a bit late to the party but writing an answer might be helpful to someone我知道,我参加聚会有点晚,但写一个答案可能对某人有所帮助
For wildcard cert DNS-01 method, auth is required.对于通配符证书DNS-01方法,需要 auth。 You can use any DNS as per use case or which ever you are using.您可以根据用例或正在使用的任何 DNS 使用任何 DNS。
Note : You might require to first add the CAA record in your DNS.注意:您可能需要先在 DNS 中添加 CAA 记录。
CAA record can get added into DNS zone CAA 记录可以添加到 DNS 区域
example :例子:
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
get your records details from : https://sslmate.com/caa/从以下位置获取您的记录详细信息: https : //sslmate.com/caa/
First we have to create the secret for storing the access key using the command首先,我们必须使用命令创建用于存储access key的秘密
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
Here sharing the example issuer.yaml这里分享示例issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"
Also make sure your user have necesarry permission to manage the Route53还要确保您的用户具有管理Route53权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.