weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
55e96e1c09
cert-manager/README.md
James Munnelly 55e96e1c09 Add high level overview diagram
2017-09-04 15:52:37 +01:00

244 lines
10 KiB
Markdown
Raw Blame History

# cert-manager [![Build Status](https://travis-ci.org/jetstack-experimental/cert-manager.svg?branch=master)](https://travis-ci.org/jetstack-experimental/cert-manager)
cert-manager is a Kubernetes addon to automate the management and issuance of
TLS certificates from various issuing sources.
It will ensure certificates are valid and up to date periodically, and attempt
to renew certificates at an appropriate time before expiry.
It is loosely based upon the work of [kube-lego](https://github.com/jetstack/kube-lego)
and has borrowed some wisdom from other similar projects e.g.
[kube-cert-manager](https://github.com/PalmStoneGames/kube-cert-manager).
![cert-manager high level overview diagram](/docs/high-level-overview.png)
## Current status
This project is still heavily under development and is not ready for use
**yet**. However, if you want to experiment, please do try running the current
development build and reporting any issues you run into.
## Quickstart
> Prebuilt images for cert-manager are made available on Dockerhub.
This guide sets up cert-manager to run as a Deployment on your Kubernetes
cluster.
It will then go on to set up the [Let's Encrypt ACME staging server](https://letsencrypt.org/docs/staging-environment/)
as a Certificate issuer, and request a Certificate for a domain you control
using both the HTTP01 and DNS01 challenge mechanisms.
By default, it will be configured to fulfil Certificate resources in all
namespaces.
### 0. Pre-requisites
* Kubernetes cluster with CustomResourceDefinitions or ThirdPartyResource
support
cert-manager uses custom resources/third party resources to represent
Certificates and Issuers. In order for cert-manager to do this, we must
register our custom API types with the Kubernetes API server. How we do this
varies slightly from Kubernetes 1.7 onwards:
#### Kubernetes 1.7 and later
Kubernetes 1.7 introduced [CustomResourceDefinitions](https://kubernetes.io/docs/concepts/api-extension/custom-resources/).
A pre-made CRD for cert-manager is in `docs/crd.yaml`. We can install it with:
```
$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/crd.yaml
```
#### Kubernetes 1.6 and below
As Kubernetes 1.6 does not support CustomResourceDefinitions, we must instead
use ThirdPartyResources, the older, now deprecated version of
CustomResourceDefinition. A pre-made TPR for cert-manager is in
`docs/tpr.yaml`. We can install it with:
```
$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/tpr.yaml
```
### 1. Deploy cert-manager
To deploy the latest version of cert-manager, run:
```
$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/cert-manager.yaml
```
**NOTE**
* In future this may be replaced with a Helm chart.
* There are currently no official RBAC roles defined for cert-manager (see [#34](https://github.com/jetstack-experimental/cert-manager/issues/34))
### 2. Set up letsencrypt staging issuer
An Issuer in cert-manager describes a source for signed TLS certificates that
cert-manager can use to fulfil Certificate resources in a Kubernetes cluster.
Within the Issuer's spec, we can define any configuration that may be required
(e.g. credentials for updating a DNS server) on a per-issuer basis.
In the below example, you **must** remember to fill in the `spec.acme.email`
field.
```yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging.api.letsencrypt.org/directory
# Email address used for ACME registration
email: ""
# Name of a secret used to store the ACME account private key
privateKey: letsencrypt-staging
# ACME dns-01 provider configurations
dns-01:
# Here we define a list of DNS-01 providers that can solve DNS challenges
providers:
# We define a provider named 'prod-dns', with configuration for the
# clouddns challenge provider.
- name: prod-dns
clouddns:
# A secretKeyRef to a the google cloud json service account
serviceAccount:
name: clouddns-service-account
key: service-account.json
# The project in which to update the DNS zone
project: gcloud-prod-project
```
This is an example Issuer for the letsencrypt staging server. Here, we define
one DNS provider, named clouddns, that can be used to solve ACME challenges.
HTTP-01 is also supported without additional configuration when using the ACME
issuer.
Upon creation of the Issuer, any initial preparation for that Issuer will be
performed, e.g. for the ACME issuer, an account is registered with the ACME
server specified in the spec, and a corresponding private key generated too if
required.
Multiple Issuers may exist at any one time, and they should be referenced by
name in a Certificate resource. The Issuer and Certificate resource must exist
in the same namespace, as cert-manager does not allow the traversal of
namespace boundaries.
### 3. Create a Certificate resource
Now we have an Issuer configured, we can create a Certificate resource that
uses it. A Certificate represents the lifecycle of a TLS certificate in your
cluster. When a Certificate is created, cert-manager will verify the
certificate is valid for the requested domains and if not, will attempt to
retrieve a signed Certificate from the specified Issuer.
```yaml
## Example Certificate that uses multiple challenge mechanisms to obtain
## a SAN certificate for multiple domains from the letsencrypt-staging issuer.
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
spec:
# The name of the Kubernetes secret resource to store the signed TLS keypair
secretName: example-com
# The Issuer to use for this certificate
issuer: letsencrypt-staging
# A list of domains to include on the TLS certificate
domains:
- example.com
- www.example.com
- example2.com
acme:
# A pairing of domains to challenge types for the ACME provider to use
# when attempting to validate domain ownership for the listed domains
config:
- domains:
- example.com
- www.example.com
http-01:
ingressClass: nginx
- domains:
- example2.com
dns-01:
provider: prod-dns
```
### 4. Ensuring the Certificate request has been fulfiled
> Currently, cert-manager does not log Events on Certificates or Issuers to the
Kubernetes Events API (see [#54](https://github.com/jetstack-experimental/cert-manager/issues/54)).
Until then, we can view the logs of cert-manager with the following:
```
$ kubectl logs -l app=cert-manager
2017/08/29 12:54:37 Preparing Certificate 'default/test-jetstack-net'
2017/08/29 12:54:37 getting private key for acme issuer default/letsencrypt-staging
2017/08/29 12:54:37 need to get authorizations for [test.jetstack.net]
2017/08/29 12:54:37 requested authorizations for [test.jetstack.net]
2017/08/29 12:54:37 picking challenge type for domain 'test.jetstack.net'
2017/08/29 12:54:37 using challenge type http-01 for domain 'test.jetstack.net'
2017/08/29 12:54:37 presenting challenge for domain test.jetstack.net, token FdVsxK2U1NRqTpEtFux29xy-0SVkcHc2qbguttdZLy8 key FdVsxK2U1NRqTpEtFux29xy-0SVkqHc2qbguttdZLy8.HwRbVJxMBmV9fJ9UxUtbN5tvjnEeCTtHnH5G9JLSYhc
2017/08/29 12:54:38 waiting for key to be available to acme servers for domain test.jetstack.net
2017/08/29 12:54:38 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:44 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:49 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:54 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:59 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:55:04 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:55:09 [test.jetstack.net] HTTP01 challenge self checking passed
2017/08/29 12:55:09 accepting http-01 challenge for domain test.jetstack.net
2017/08/29 12:55:09 waiting for authorization for domain test.jetstack.net (https://acme-staging.api.letsencrypt.org/acme/challenge/MEFHD2piP1SpkG3tMcE9CRldMO-pS7OqzeJs6AK7AiE/1704174337)...
2017/08/29 12:55:09 got successful authorization for domain test.jetstack.net
2017/08/29 12:55:09 Finished preparing Certificate 'default/test-jetstack-net'
2017/08/29 12:55:09 [default/test-jetstack-net] Issuing certificate...
2017/08/29 12:55:15 successfully got certificate: domains=[test.jetstack.net] url=https://acme-staging.api.letsencrypt.org/acme/cert/03ed2ed8bac6c402a04ef8d9e83a536ad823
2017/08/29 12:55:15 [default/test-jetstack-net] Successfully issued certificate (test-jetstack-net)
2017/08/29 12:55:15 [default/test-jetstack-net] Scheduling renewal in 1438 hours
2017/08/29 12:55:15 finished processing work item
```
You can also check the signed TLS keypair exists with:
```
$ kubectl get secret -o yaml example-com
```
You should see a base64 encoded TLS keypair if issuance was successful.
## Further documentation
For further documentation, please check the [/docs](/docs) directory in this
repository.
## Troubleshooting
If you encounter any issues whilst using cert-manager, and your issue is not
documented, please [file an issue](https://github.com/jetstack-experimental/cert-manager/issues).
## Contributing
We welcome pull requests with open arms! There's a lot of work to do here, and
we're especially concerned with ensuring the longevity and reliability of the
project.
Please take a look at our [issue tracker](https://github.com/jetstack-experimental/cert-manager/issues)
if you are unsure where to start with getting involved!
We also use the #kube-lego channel on kubernetes.slack.com for chat relating
to the project.
Developer documentation should soon be available at [docs/devel](docs/devel).
## Changelog
The [list of releases](https://github.com/jetstack-experimental/cert-manager/releases)
is the best place to look for information on changes between releases.
Reference in New Issue View Git Blame Copy Permalink