[英]Move cert-manager certificate to another Kubernetes cluster
I'm in the process of moving web services from one Kubernetes cluster to another.我正在将 web 服务从一个 Kubernetes 集群移动到另一个集群。 The goal is to do that without service interruption.目标是在不中断服务的情况下做到这一点。
This is difficult with cert-manager and HTTP challenges, because cert-manager on the new cluster can only retrieve a certificate once the DNS entry points to that cluster.这对于 cert-manager 和 HTTP 挑战来说是困难的,因为新集群上的 cert-manager 只能在 DNS 入口指向该集群时检索证书。 However, if I switch the DNS entry to the new cluster, clients will potentially talk to the new cluster before a valid certificate has been generated.但是,如果我将 DNS 条目切换到新集群,客户端可能会在生成有效证书之前与新集群通信。 This is like a chicken-and-egg problem.这就像一个先有鸡还是先有蛋的问题。
How do I move the cert-manager certificates to the new cluster, so that it already has the certs once I make the DNS switch?如何将 cert-manager 证书移动到新集群,以便在我进行 DNS 切换后它已经拥有证书?
Certificates are stored in Kubernetes secrets.证书存储在 Kubernetes 机密中。 Cert-manager will pick up existing secrets instead of creating new ones, if the secret matches the ingress object.如果秘密与入口 object 匹配,证书管理器将获取现有秘密而不是创建新秘密。
So assuming that the ingress object looks the same on both clusters, and that the same namespace is used, copying the secret is as simple as this:因此,假设入口 object 在两个集群上看起来相同,并且使用相同的命名空间,复制密钥就像这样简单:
kubectl --context OLD_CLUSTER -n NAMESPACE get secret SECRET_NAME --output yaml \
| kubectl --context NEW_CLUSTER -n NAMESPACE apply -f -
OLD_CLUSTER
and NEW_CLUSTER
with the kubectl context names of the respective clusters (see kubectl config get-contexts
).将OLD_CLUSTER
和NEW_CLUSTER
替换为相应集群的 kubectl 上下文名称(请参阅kubectl config get-contexts
)。SECRET_NAME
with the name of the secret where the certificate is stored.将SECRET_NAME
替换为存储证书的密钥的名称。 This name can be found in the ingress.这个名字可以在入口中找到。NAMESPACE
with the actual namespace that you're using.将NAMESPACE
替换为您正在使用的实际命名空间。 The command simply exports the secret in YAML format, and then uses kubectl apply -f
to create the same resource in the new cluster.该命令只是以 YAML 格式导出密钥,然后使用kubectl apply -f
在新集群中创建相同的资源。
Once the ingress is in place on the new cluster, you can verify that the cert works by using openssl s_client
:在新集群上准备好入口后,您可以使用openssl s_client
验证证书是否有效:
openssl s_client -connect CLUSTER_IP:443 -servername SERVICE_DNS_NAME
Again, replace CLUSTER_IP
and SERVICE_DNS_NAME
accordingly.同样,相应地替换CLUSTER_IP
和SERVICE_DNS_NAME
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.