[英]How to configurre ClusterIssuer to customize certificate duration and renewal?
我想在整個集群中自定義證書有效期和續訂。 我猜用 ClusterIssuer 這樣做是可行的。 有沒有辦法這樣做?
您可以通過在Certificate
CR 中指定duration
字段來指定自簽名證書的duration
:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example
spec:
duration: 24h
...
您可以使用renewBefore
字段控制證書到期前多久續訂:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example
spec:
renewBefore: 12h
...
文檔中的詳細信息。
為此,您可以使用以下兩個字段對其進行配置
duration: 2160h # 90d
renewBefore: 360h # 15d
需要注意的事項:
該renewBefore
和duration
字段必須使用Golang的指定time.Time
字符串格式,它不允許d(天)。
示例證書
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
commonName: example.com
dnsNames:
- example.com
- www.example.com
uriSANs:
- spiffe://cluster.local/ns/sandbox/sa/example
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.