cert-manager와 letsencrypt 연동

1. cert-manager

cert-manager는 Kubernetes안에서 TLS 인증서를 자동으로 설치하고 관리 (유효기간 만료시 갱신) 기능을 가지고 있다.

 

https://cert-manager.io/docs/

cert-manager

 

2. letsencrtpt

Let's Encrypt는 무료이며 자동화된 개방형 인증 기관입니다. Let's Encrypt를 통해 TLS 인증서를 배포하면 브라우저에서 사설 인증서로 배포하여 접속하면 보이는 경고가 보이지 않는다.

 

https://letsencrypt.org/ko/how-it-works/

작동 방식 - Let's Encrypt - 무료 SSL/TLS 인증서

3. 설치

1) cert-manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml

 

2) cert-manager가 Let's Encrypt를 이용하도록 ClusterIssuer 생성

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: test@xxx.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class:  nginx

 

on-prem 환경에서 Let's Encrypt 연동이 어려운 환경인 경우에는 self singed 인증서를 사용한다.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
spec:
  selfSigned: {}

 

4. 테스트

 

1) ingress 설정

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tomcat
  namespace: test
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
spec:
  rules:
  - host: test.tomcat.10.60.200.121.sslip.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: tomcat-service
            port:
              number: 8080
  tls:
  - hosts:
    - test.tomcat.10.60.200.121.sslip.io
    secretName: tomcat-cert

 

2) 인증서 확인

kubectl describe certificate tomcat-cert -n test

Name:         tomcat-cert
Namespace:    test
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-02-16T14:00:58Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:ownerReferences:
          .:
          k:{"uid":"25d95f04-3e8d-442e-80de-ee4d86094c68"}:
            .:
            f:apiVersion:
            f:blockOwnerDeletion:
            f:controller:
            f:kind:
            f:name:
            f:uid:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
        f:usages:
      f:status:
        .:
        f:conditions:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
        f:revision:
    Manager:    controller
    Operation:  Update
    Time:       2022-02-16T14:00:59Z
  Owner References:
    API Version:           networking.k8s.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  tomcat
    UID:                   25d95f04-3e8d-442e-80de-ee4d86094c68
  Resource Version:        4225613
  Self Link:               /apis/cert-manager.io/v1/namespaces/test/certificates/tomcat-cert
  UID:                     60ac30ed-9e8a-4a1a-a98a-74a146bbb6c5
Spec:
  Dns Names:
    test.10.60.200.121.sslip.io
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       selfsigned-issuer
  Secret Name:  tomcat-cert
  Usages:
    digital signature
    key encipherment
Status:
  Conditions:
    Last Transition Time:  2022-02-16T14:00:59Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-05-17T14:00:59Z
  Not Before:              2022-02-16T14:00:59Z
  Renewal Time:            2022-04-17T14:00:59Z
  Revision:                1
Events:                    <none>