免费签发证书，到期自动续订

• 使用 cert-manager 在 letsencrypt 上签发3个月有效期的免费证书
• 使用 renewCertificate 检查证书到期日期，当到期日期小于3天，renew 新的证书

1. cert-manager

1.1 Installing cert-manager with Helm

$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.15.0 \
  --set installCRDs=true

If you're using the static manifests you need to edit the cert-manager Deployment using kubectl -n cert-manager edit deploy cert-manager and edit the args to include --feature-gates=ExperimentalCertificateControllers=true:

      containers:
      - args:
        - --v=2
        - --cluster-resource-namespace=$(POD_NAMESPACE)
        - --leader-election-namespace=kube-system
        - --feature-gates=ExperimentalCertificateControllers=true

参考

1.2 创建 letsencrypt-prod

$ kubectl create -f letsencrypt-prod.yaml

• letsencrypt-prod.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-prod
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

参考

1.3 配置 ingress

1. 配置 cert-manager.io/cluster-issuer

metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    ingress.kubernetes.io/proxy-body-size: "0"
    ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"

2. 配置 tls

  tls:
  - hosts:
    - <your domain 1>
    secretName: <your secret 1>
  - hosts:
    - <your domain 2>
    secretName: <your secret 2>

参考

2. 安装 renewCertificate

2.1 创建 service Account

$ kubectl create sa renew-cert

2.2 创建 clusterrolebingding

$ kubectl create clusterrolebinding renew-cert \
  --clusterrole=cluster-admin \
  --serviceaccount=cert-manager:renew-cert

2.3 配置 cronjob 中的 namespace 和 certificate

多个 certificate 用逗号隔开

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: renew-cert
spec:
  schedule: "0 0 * * *"
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccount: renew-cert
          containers:
          - name: renew-cert
            image: harbor.wise-paas.com/library/renewcertificate:v0.0.6
            imagePullPolicy: IfNotPresent #Always
            command: ["/renewCertificate"]
            args: ["--namespace=harbor", "--certificate=harbor-cert,notary-cert"]
          restartPolicy: OnFailure

2.4 创建 cronjob

$ kubectl create -f cronjob-renew-cert.yaml

注意事项

• letsencrypt 限制:
  https://letsencrypt.org/docs/rate-limits/