Cert-Manager证书续订过程-如何执行? [英] Cert-Manager Certificate Renewal process - How it is performed?
问题描述
I am using cert-manager-v0.10.0 installed from its helm chart
我正在使用 kong 之类的入口控制器来管理入口操作.
I am using kong like ingress controller to manage the ingress operations.
所以我创建了一个ClusterIssuer资源,以便可以通过kong-ingress控制器从Ingress资源中获取它.
So I have created a ClusterIssuer resource in order it could be contacted from an Ingress resource via kong-ingress controller.
ClusterIssuer是这个:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: username@mydomain.org
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: kong
我正在使用的入口资源是这个.
The ingress resource that I am using is this.
您可以在这里看到,我将其指向先前创建的ClusterIssuer并
根据其中包含的kubernetes.io/ingress.class: "kong"注释,我也将其指向kong作为入口控制器:
You can see here, that I am pointing it to the ClusterIssuer created previously and
also I am pointing it to kong as an ingress controller, according to the kubernetes.io/ingress.class: "kong" annotation included there:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
# add an annotation indicating the issuer to use.
certmanager.k8s.io/cluster-issuer: letsencrypt-prod # letsencrypt-staging
kubernetes.io/ingress.class: "kong"
plugins.konghq.com: swaggerapi-customer-production-basic-auth, swaggerapi-customer-production-acl
name: production-customer-ingress-app
# namespace: default
spec:
rules:
- host: appprod.mydomain.org
http:
paths:
- backend:
serviceName: customer-production-app
servicePort: 80
path: /comcustomerpr
tls: # < placing a host in the TLS config will indicate a cert should be created
- hosts:
- appprod.mydomain.org
secretName: letsencrypt-prod # < cert-manager will store the created certificate in this secret.
因此,当我在上面创建Ingress资源时,会创建上面在我的Ingress中引用的secretName以及同名的证书资源...即letsencrypt-prod.
So, when I create the Ingress resource above, the secretName referenced above in my ingress is created and also a certificate resource with the same name ... that is letsencrypt-prod.
它将是接收LetsEncrypt验证成功过程的证书资源...
It will be the certificate resource which receive the LetsEncrypt validation successful process ...
我进行了TLS加密,这里一切正常.
I got TLS encryption and everything is OK here.
但是现在,我想知道续订过程将如何.因为我很确定目前此续订证书过程不会自动发生...
But now, I want to know how will be the renewal process. Because I am pretty sure at the moment this renewal certificate process it does not to happen automatically ...
我在这里阅读 https://docs.cert-manager.io/en/latest/reference/certificates.html?highlight=renewal#certificate-duration-and-renewal-window ,此文档指出:必须将这样创建的证书资源附加到kind:Certificate属性的spec.duration和spec.renewBefore
I was reading something here https://docs.cert-manager.io/en/latest/reference/certificates.html?highlight=renewal#certificate-duration-and-renewal-window and this documentation says that is necessary attach to the certificate resource created (kind:Certificate) the spec.duration and spec.renewBefore attributes of this way
spec:
secretName: example-tls
duration: 24h
renewBefore: 12h
如果我的LetsEncrypt颁发的证书的默认期限为90天,如何指定这些spec.duration和spec.renewBefore属性?
If my certificate issued by LetsEncrypt has a 90 days as a default duration, how can I specify these spec.duration and spec.renewBefore attributes?
我想解决这个问题,因为我的主要问题是我不是在创建证书,而是在执行Ingress资源(上面引用的)时创建的.
I want to get into in this concern, because my main question is I am not creating the certificate, it is created when the Ingress resource (above referenced) is executed.
我该如何使用这种方法来解决续订过程?
How can I address the renewal process here with this approach that I am doing?
更新
我是否需要引用我从LetsEncrypt获得的秘密来创建特定的kind:Certificate资源?
Do I need to create a specific kind:Certificate resource, referencing the secret that I got from LetsEncrypt?
我的意思是,像这样吗?
I mean, something like this?
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: letsencrypt-prod
spec:
secretName: letsencrypt-prod
dnsNames:
- mydomain.com
acme:
config:
- http01:
ingressClass: kong
domains:
- mydomain.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
我对此有疑问,因为目前我没有采取证书续订的行动
I have the doubt here, because currently I am not getting the certificate renewal action
推荐答案
由于您已经使用过letsencrypt-prod颁发者,并且没有执行任何特殊/非标准的操作,因此证书续订过程将完全自动进行.
since you have used the letsencrypt-prod issuer, and haven't done anything special/non-standard, the certificate renewal process will be completely automatic for you.
默认情况下,letsencrypt证书的有效期为90天,并且每30天自动更新一次.如果您对使用购买的证书或使用某些其他特定的证书颁发机构没有严格的要求,那么这是一个很好的选择.
By default the letsencrypt certificates are valid fro 90-days, and renewed automatically every 30-days. If you don't have some strict requirements to use purchased certificates, or use some other specific Certificate Authority, this is a great option to use.
如果您仍然有疑问,可以执行以下操作以自己了解.首先解码当前的证书机密数据,并使用openssl命令检查证书内容.您将能够看到证书的到期日期,并记录下来.现在,如果您从该失效日期中减去59天,则应该大致为您提供cert-manager尝试更新证书的日期.为了安全起见,我增加了一天的时间,我们还为时不早.然后在该日期再次重复此过程;解密证书机密,使用openssl命令检查证书,并检查证书的到期日期.您会注意到该证书的到期日期与以前不同,因此它会按照我们的预期自动更新.
If you still have doubts then you can do the following to see for yourself. First decode the current certificates secret data and inspect the certificate contents with the openssl command. You'll be able to see the certificate expiry date, and make a note of that. Now if you subtract 59-days from that expiry date that should give you roughly the date that cert-manager will attempt to renew the certificate on. I add an extra day just to be safe we aren't too early. Then on that date repeat this process again; decoding the certificate secret, inspecting the certificate with the openssl command, and checking the certificate expiry date. You'll notice the expiry date for the certificate is different than before, hence it's was automatically renewed as we expected.
希望这会有所帮助.
这篇关于Cert-Manager证书续订过程-如何执行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
