[英]How to configurre ClusterIssuer to customize certificate duration and renewal?
我想在整个集群中自定义证书有效期和续订。 我猜用 ClusterIssuer 这样做是可行的。 有没有办法这样做?
您可以通过在Certificate
CR 中指定duration
字段来指定自签名证书的duration
:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example
spec:
duration: 24h
...
您可以使用renewBefore
字段控制证书到期前多久续订:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example
spec:
renewBefore: 12h
...
文档中的详细信息。
为此,您可以使用以下两个字段对其进行配置
duration: 2160h # 90d
renewBefore: 360h # 15d
需要注意的事项:
该renewBefore
和duration
字段必须使用Golang的指定time.Time
字符串格式,它不允许d(天)。
示例证书
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
commonName: example.com
dnsNames:
- example.com
- www.example.com
uriSANs:
- spiffe://cluster.local/ns/sandbox/sa/example
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.