2020.07.16
Cert-manager with LetsEncrypt (DNS challenge)
Cert-manager with LetsEncrypt (HTTP challenge): https://1week.tistory.com/57
1. 개요
- cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources,
such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.
- cert-manager can be used to obtain certificates from a CA using the ACME (Automated Certificate Management Environment) protocol.
The ACME protocol supports various challenge mechanisms which are used to prove ownership of a domain so that a valid certificate can be issued for that domain.
- ACME challenge mechanisms
https://medium.com/@gregoire.waymel/istio-cert-manager-lets-encrypt-demystified-c1cbed011d67
✓ HTTP
https://cert-manager.io/docs/configuration/acme/http01/
✓ DNS
https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/
https://blog.darkedges.com/2020/05/04/cert-manager-kubernetes-cloudflare-dns-update/
https://docs.cert-manager.io/en/release-0.11/tutorials/acme/dns-validation.html
- ACME Debugging을 위한 사이트
https://letsdebug.net/, https://tools.letsdebug.net/cert-search, http://dnsviz.net
- cert-manager resource name
API group changing to be cert-manager.io instead of certmanager.k8s.io
ex) clusterissuers.certmanager.k8s.io -> clusterissuers.cert-manager.io
- istio document
https://archive.istio.io/v1.3/docs/tasks/traffic-management/ingress/ingress-certmgr/ <— v1.3 (Kubeflow 1.0.2)
https://istio.io/latest/docs/ops/integrations/certmanager/<— v1.6
- istio SDS(Secure Discovery Service) 기능 적용을 위해서 istio 1.5.8를 사용해야 함
2. 환경
- Kubernetes v1.15.12
- Case1: Kubeflow 1.0.2 with Istio 1.3, cert-manager v0.11, Dex <- Certificate 적용 불가
Case2: Kubeflow 1.0.2 with cert-manager v0.11, Dex + istio 1.5.8 <- Certificate 적용
3. ACME with CloudFlare DNS 구성하기
- https://blog.darkedges.com/2020/05/04/cert-manager-kubernetes-cloudflare-dns-update/
a. 사전 작업
https://dash.cloudflare.com/ 접속
Tokens can be created at User Profile > API Tokens > API Tokens. The following settings are recommended:
• Permissions:
Zone - DNS - Edit
Zone - Zone - Read
• Zone Resources:
Include - All Zones
To retrieve your API key:
Log in to the Cloudflare dashboard.
Under the My Profile dropdown, click My Profile.
Click the API tokens tab.
In the API keys section, choose Global API Key. Choose the API Key that you would like to view. ...
b. Secret 생성
API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.
권고대로 API Tokens secret 생성시 에러가 발생되어 API-Key secret 생성
$ vi secret-api-key.yaml
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key-secret
namespace: cert-manager
type: Opaque
stringData:
api-key: 0117decf3c7a047a0225a6fcc46698daedb23
$ k apply -f secret-api-key.yaml
c. ClusterIssuer 생성
$ vi clusterissuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
# https://cert-manager.io/docs/configuration/acme/
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: ysjeon71@gmail.com
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: letsencrypt-prod-secret
server: https://acme-v02.api.letsencrypt.org/directory
# Add a single challenge solver
solvers:
- dns01:
cloudflare:
email: user@example.com
apiKeySecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsZones:
- '35.196.36.171.sslip.io'
- '35-196-36-171.sslip.io'
$ k apply -f clusterissuer.yaml
$ k describe clusterissuers.cert-manager.io letsencrypt-prod | grep Status -A20
Status:
Acme:
Last Registered Email: ysjeon71@gmail.com
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/90196247
Conditions:
Last Transition Time: 2020-07-01T04:27:08Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
$ k get secrets -n cert-manager | egrep "NAME|letsencrypt-prod-secret"
NAME TYPE DATA AGE
letsencrypt-prod-secret Opaque 1 6m42s
$
d. Certificate 생성
$ vi certificate.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: my-certificate
namespace: istio-system
spec:
secretName: istio-ingressgateway-certs
ipAddresses:
- 35.196.36.171
dnsNames:
- '35.196.36.171.sslip.io'
- '35-196-36-171.sslip.io'
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
$ k apply -f certificate.yaml
[ysjeon71_kubeflow3@master solver-dns]$ k get certificates.cert-manager.io -n istio-system
…
$ k describe challenges.acme.cert-manager.io my-certificate-1863181344-3669356895-4114483673 -n istio-system | grep Status -A50
Status:
Presented: false
Processing: true
Reason: error instantiating cloudflare challenge solver: CloudFlare credentials missing
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 35m cert-manager Challenge scheduled for processing
Warning PresentError 13m (x2 over 13m) cert-manager Error presenting challenge: error instantiating cloudflare challenge solver: CloudFlare credentials missing
$
e. Certificate 생성 실패
- DNS Challenge 단계에서 에러가 발생 됨. https://dash.cloudflare.com/ 에서 등록된 도메인이 pending 상태이며, 추가 진행하지 않음
'Kubernetes > Management' 카테고리의 다른 글
| ClusterIP, NodePort, Ingress 개념 (0) | 2021.09.23 |
|---|---|
| K8s 잡학다식 (0) | 2021.09.23 |
| Crobjob (0) | 2021.09.23 |
| K8s - Slab memory leakage (2) | 2021.09.16 |
| K8s - Node NotReady (0) | 2021.09.16 |
댓글