技术控

    今日:126| 主题:49390
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Managing Let's Encrypt certificates in Kubernetes with kube-cert-manager

[复制链接]
流年似水 发表于 2016-10-7 19:28:49
137 4

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
Kubernetesprovides a way of scheduling and managing resources such as containers, storage and load balancers in a highly automatic and easy fashion. It’s a prime example of    Infrastructure as Code.  
      Let’s Encrypt, by its use of the    ACME protocol, provides a simple and automatic way of obtaining TLS certificates that are trusted by all major browser vendors, completely for free.  
  In a lot of scenarios it can make sense to combine Kubernetes and Let’s Encrypt and to not have to deal with creating or renewing certificates by hand ever again. This is where    kube-cert-managercomes into play: it offers an ACME client that is integrated with Kubernetes; requesting, renewing and deleting certificates as needed.  
  Features

  kube-cert-manager provides numerous features that make managing Let’s Encrypt certificates a breeze.
  The most obvious feature is, of course, requesting certificates. It can be instructed to do so in two different ways. The first, slightly more manual way, is by creating a Certificate resource. This resource will encapsulate all the necessary information, such as the domain name. kube-cert-manager, when seeing such a resource, will go and talk to Let’s Encrypt, request a certificate, and upon success create a new Kubernetes Secret to store the certificate in. At this point, you can use the secret in any way you usually would usually, most likely by mounting it in a container to use the certificates in a web server or similar.
  The more automatic way hooks into Kubernetes Ingress objects. Ingress objects describe external load balancers and URL routing rules. Part of their job is terminating TLS connections. For this, the user can specify a list of hosts and Secret names that should contain the certificates. If you apply the right annotations to the Ingress resource, kube-cert-manager will pick them up and automatically populate the secrets with certificates.
  Requesting certificates from Let’s Encrypt requires passing a challenge-response protocol to prove that one is in control of the domain. kube-cert-manager, via the use of    lego, provides both HTTP and DNS based challenges. For the DNS challenge, it supports    over a dozen of DNS providers, such as Google Cloud DNS or Digital Ocean.  
  Of course requesting certificates is only half the job: They also need to be renewed regularly: kube-cert-manager will do this automatically for you. If your load balancer or services support detecting file changes to reload certificates, you won’t need to do anything. For Go programs, there is    kube-cert-http. For other software you will have to write your own adapters and reload logic, but that should be relatively simple.  
  kube-cert-manager will also delete old, unused certificates, but that goes without saying.
  Installation

  The project comes with    detailed documentationon installation and deployment. I will refrain from copy & pasting it here.  
  Examples

  The following examples are supposed to give you a feel for what it is like working with kube-cert-manager. Check the official documentation for a full reference of the resource formats.
  Certificate objects

  The first example demonstrates the use of Certificate objects. These are standalone resources that specify a certificate and cause kube-cert-manager to request a certificate and store it in a secret. The secret will exist for as long as the Certificate object exists.
  1. apiVersion: "stable.k8s.psg.io/v1"
  2. kind: "Certificate"
  3. metadata:
  4.   name: "psg-dot-io"
  5. spec:
  6.   domain: "psg.io"
  7.   email: "[email protected]"
  8.   provider: "googlecloud"
复制代码
A secret that is created this way can be used like any other secret, for example by mounting it into a container, like in the following example:
  1. spec:
  2.   containers:
  3.   - name: my-app
  4.     image: ...
  5.     args:
  6.       - "-tls-cert=/etc/tls/psg.io/tls.crt"
  7.       - "-tls-key=/etc/tls/psg.io/tls.key"
  8.     volumeMounts:
  9.       - name: psg-io
  10.         mountPath: /etc/tls/psg.io
  11.   volumes:
  12.     - name: psg-io
  13.       secret:
  14.         secretName: psg.io
复制代码
Ingress objects

  The next example demonstrates the use of Ingress resources. kube-cert-manager will automatically extract the domain names and secret names from Ingress resources and populate the secrets with certificates.
  1. apiVersion: extensions/v1beta1
  2. kind: Ingress
  3. metadata:
  4.   name: ingress
  5.   annotations:
  6.     stable.k8s.psg.io/kcm.enabled: "true"
  7.     stable.k8s.psg.io/kcm.provider: "googlecloud"
  8.     stable.k8s.psg.io/kcm.email: "[email protected]"
  9. spec:
  10.   tls:
  11.   - hosts:
  12.     - psg.io
  13.     secretName: hello-secret
  14.   rules:
  15.   - host: "psg.io"
  16.     http:
  17.       paths:
  18.       - path: /hello-world
  19.         backend:
  20.           serviceName: helloworld
  21.           servicePort: 80
复制代码
Given this example, the load balancer created by an Ingress controller will terminate TLS connections using a Let’s Encrypt certificate that is stored in the secret named    hello-secret.  
  Summary

  Kubernetes automates infrastructure, Let’s Encrypt automates certificates, and kube-cert-manager is the beautiful marriage of the two. It can be added to an existing Kubernetes setup without much effort and is definitely worth checking out.
友荐云推荐




上一篇:People don’t leave companies. They leave leaders!
下一篇:最前沿 之 谷歌的协作机械臂
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

翠梅 发表于 2016-10-8 09:19:22
如果你活着,早晚都会死;如果你死了,你就永远活着
回复 支持 反对

使用道具 举报

夏烟 发表于 2016-10-8 12:28:31
流年似水的文笔不错!
回复 支持 反对

使用道具 举报

筠如 发表于 2016-10-8 21:58:54
不回帖的话就太任性了
回复 支持 反对

使用道具 举报

gouzhiguo 发表于 2016-10-22 17:01:46
这个星期六是肿么啦
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表