带有证书管理器的 K8s 内部 ACME 服务器,仅用于发布内部 k8s 证书-htttp 挑战问题
[英]K8s Internal ACME server with cert-manager for issuing only internal k8s certs - htttp challenge issue
问题描述
Is it possible to use cert-manager to generate a certificate for a workload only in a cluster with ACME server in one of the namespaces?
是否可以使用 cert-manager 仅在其中一个命名空间中具有 ACME 服务器的集群中为工作负载生成证书? As far I understood cert-manager tries to reach dns name via egressing the cluster and ingressing the cluster to make a http chalange, but what if I do not want to leave the cluster?据我了解,cert-manager 尝试通过退出集群和进入集群来访问 dns 名称以进行 http chalange,但是如果我不想离开集群怎么办? I do not want cert-manager to create Ingress resource.我不希望 cert-manager 创建 Ingress 资源。 Let the whole challenge takes place inside the cluster.让整个挑战发生在集群内部。
My case:我的情况:
- I've got ACME server (step-ca) inside one of my namespaces我的一个命名空间中有 ACME 服务器(step-ca)
- I need to create certificate for my POD in another namespace, eg common name "${app}.${namespace}"我需要在另一个命名空间中为我的 POD 创建证书,例如通用名称“${app}.${namespace}”
Remarks: In my case the problem is more complicated due to istio on board.备注:在我的情况下,由于板上的 istio,问题更加复杂。 For ingress traffic cert-manager works fine with internal ACME server but for egress traffic I need to go over stunnel (in each POD) to reach Squid outside and I need those certs for stunnel.对于入口流量,cert-manager 可以与内部 ACME 服务器正常工作,但对于出口流量,我需要通过 stunnel(在每个 POD 中)才能到达外面的 Squid,我需要这些证书用于 stunnel。
1 个解决方案
解决方案1
0 2021-09-25 06:09:44
The only way I came up with:我想出的唯一方法:
Each app has it's own Issuer每个应用程序都有自己的 Issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: k8s-acme-local
namespace: ${APP_NS}
spec:
acme:
email: some@email
privateKeySecretRef:
name: k8s-acme-local
server: https://${ACME_SVC}.${ACME_NS}/acme/acme/directory
solvers:
- http01:
ingress:
podTemplate:
metadata:
labels:
app: ${APP}
ingressTemplate: {}
serviceType: ClusterIP
Before creating Certificate resource I create Service to take over the traffic to ${APP}.{APP_NS}在创建证书资源之前,我创建了服务来接管到${APP}.{APP_NS}的流量
apiVersion: v1
kind: Service
metadata:
name: ${APP}
namespace: ${APP_NS}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8089
selector:
app: ${APP}
sessionAffinity: None
type: ClusterIP
And then the Certificate resource:然后是证书资源:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ${APP}
namespace: ${APP_NS}
spec:
secretName: ${APP}
issuerRef:
name: k8s-acme-local
kind: Issuer
group: cert-manager.io
commonName: ${APP}.${APP_NS}
dnsNames:
- ${APP}.${APP_NS}
Now Acme server will do the chalange over my Service not by Ingress (and cer-manager service) which stays unused.现在 Acme 服务器将对我的服务进行挑战,而不是通过保持未使用的 Ingress(和 cer-manager 服务)。 I don't like it but it works.我不喜欢它,但它有效。 This method has one critical drawback.这种方法有一个严重的缺点。 Everyone in the cluster can do it and impersonate any existing or not existing app.集群中的每个人都可以这样做并模拟任何现有或不存在的应用程序。 I'm looking forward your opinions and tips.我期待您的意见和建议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.