Cert-Managerk8s,更新證書程序 -有解無憂

我已經在一個k8s集群上安裝了cert manager

helm install cert-manager jetstack/cert- manager --namespace cert-manager --creat-namespace version v1. 5.3 --set installCRDs=true

我的目標是在運行于同一命名空間的微服務之間進行mtls通信。

為了這個目的，我創建了一個ca發行器，也就是。

kubectl get issuer n sandbox o yaml
apiVersion: v1
專案:
- apiVersion: cert-manager.io/v1
  kind: Issuer
  metadata: Issuer
    注釋:
      kubectl.kubernetes.io/last-applied-configuration： |
        {"apiVersion": "cert-manager.io/v1", "kind": "Issuer", "metadata":{"annotations":{}, "name": "ca-issuer", "namespace": "sandbox"}, "spec":{"ca":{"secretName": "tls-internal-ca"}}.
 creationTimestamp: "2021-09-16T17:24:58Z"/span>
    generation: 1
    managedFields:
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata: f:metadata:
          f:注釋:
            .: {}.
            f:kubectl.kubernetes.io/last-applied-configuration: {}。
        f:spec:
          .: {}.
          f:ca: .
            .: <}
            f:secretName: {}。
      manager: HashiCorp
      操作: Update
      time: "2021-09-16T17:24:58Z"
    - apiVersion: cert-manager.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          .: {}。
          f:conditions: {}。
      manager: controller
      操作: Update
      time: "2021-09-16T17:24:58Z"
    名稱: ca-issuer
    namespace: sandbox
    resourceVersion: "3895820"/span>
    selfLink: /apis/cert-manager.io/v1/namespaces/sandbox/issuers/ca-issuer。
    uid: 90f0c811-b78d-4346-bb57-68bf607ee468
  規格:
    ca:/span>
      secretName: tls-internal-ca
  狀態:
    條件:
      message: Signing CA verified
      observedGeneration: 1
      原因: KeyPairVerified
      狀態: "真"
      型別: 就緒
ind: List
metadata:
  resourceVersion: " "
  selfLink: ""

使用這個ca發行器，我為我的兩個微服務創建了證書。

kubectl get certificate n sandbox      
NAME READY SECRET Age
service1-certificate True service1-certificate 3d     
service2-certificate True service2-certificate 2d23h

其中配置為

apiVersion: cert-manager.io/v1
kind: 證書
metadata: 證書
  注釋:
    meta.helm.sh/release-name: service1
    meta.helm.sh/release-namespace: sandbox
  creationTimestamp: "2021-09-17T10:20:21Z"。
  generation: 1
  標簽:
    app.kubernetes.io/managed-by: Helm
  managedFields:
  - apiVersion: cert-manager.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata: f:metadata:
        f:注釋:
          .: {}.
          f:meta.helm.sh/release-name: {}。
          f:meta.helm.sh/release-namespace: {}。
        f:labels:
          .: {}。
          f:app.kubernetes.io/managed-by:{}。
      f:spec:
        .: {}.
        f:commonName:{}。
        f:dnsNames: {}
        f:duration: {}
        f:issuerRef: f:issuerRef:
          .: {}.
          f:kind:{}。
          f:name: {}
        f:renewalBefore: {}
        f:secretName: <}
        f:subject: f:secretName: f:subject:
          .: {}.
          f:組織: {} .
        f:usages: {}
    manager: Go-http-client
    操作: Update
    time: "2021-09-17T10:20:21Z"
  - apiVersion: cert-manager.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:spec: f:spec:
        f:privateKey: {}。
      
        .: {}.
        f:conditions:{}。
        f:notAfter: {}。
        f:notBefore: {}。
        f:renewalTime: {}
        f:修訂: {}
    manager: controller
    操作: Update
    time: "2021-09-20T05:14:12Z"
  name: service1-certificate
  namespace: sandbox
  resourceVersion: "5177051"/span>
  selfLink: /apis/cert-manager.io/v1/namespaces/sandbox/certificates/Service1-certificate
  uid: 0cf1ea65-92a1-4b03-944e-b847de2c80d9
spec:
  commonName: example.com
  dnsNames:
  - service1
  duration: 24h0m0s
  issuerRef: 
    kind: Issuer
    name: ca-issuer
  renewBefore: 12h0m0s[/span
  secretName: service1-certificate
  主題:
    組織:
    - myorg
  用途:
  - client aauth
  - server auth
狀態:
  條件:
  - lastTransitionTime: "2021-09-20T05:14:13Z" 
    message:  證書 是 向上 到 日期 日期 和 已 未 過期。
    observedGeneration: 1
    原因: 準備
    狀態: "真"
    type: Ready
  notAfter: "2021-09-21T05:14:13Z" 
  notBefore: "2021-09-20T05:14:13Z"/span>
  renewalTime: "2021-09-20T17:14:13Z"
  revision: 5

現在，正如你在配置中看到的，我已經配置了在12小時內更新它們，然而，通過這個自定義證書資源創建的秘密仍然是兩天的時間（它是第一次創建），我在想這個tls秘密將通過cert管理器每天更新）。

kubectl get secrets service1- 證書 服務2-證書 n 沙盒 o 廣泛NAME TYPE DATA AGE
service1-certificate kubernetes.io/tls 3  2d23h
service2-certificate kubernetes.io/tls 3 3d1h

我的理解是否有誤......，在certmangager pod的日志中，我確實看到一些圍繞更新的錯誤。

I0920 05：14：04. 649158 1 trigger_controller. 去。 181] cert-manager/controller/certificates-trigger "msg"="證書 必須 是 重新頒發的" "key"="sandbox/service1- 證書" "message"="Renewing certificate as renewal string">renewal was scheduled at 2021-09-19 08。 24:13  0000 UTC" "原因"="更新"?    
I0920 05:14:04.649235 1 conditions. 去。 201] 設定 lastTransitionTime for Certificate "service1-certificate" condition "Issuing" to 2021-09-20 05。 14:04. 649227766  0000 UTC m= 87949.327215532[/span>] 。?    
I0920 05:14:04.652174 1 trigger_controller. 去。 181] cert-manager/controller/certificates-trigger "msg"="證書 must be re-issued" "key"="sandbox/service2 "message"="Renewing certificate as string">as renewal was scheduled at 2021-09-19 10: 20:22  0000 UTC" "原因"="更新"?    
I0920 05:14:04.652231 1 conditions. 去。 201] 設定 lastTransitionTime for Certificate "service2-certificate" condition "Issuing" to 2021-09-20 05: 14:04. 652224302  0000 UTC m= 87949.330212052 ?    
I0920 05:14:04.671111 1 conditions. 去。 190] 發現 狀態 變化 為 Certificate "service2-certificate" condition "Ready":  "True" -> "False"。  設定 lastTransitionTime to 2021-09-20 05: 14:04. 671094596  0000 UTC m= 87949.349082328 
I0920 05:14:04.671344 1 conditions. 去。 190] 發現 狀態 變化 為 Certificate "service1-certificate" condition "Ready":  "True" -> "False"。  設定 lastTransitionTime to 2021-09-20 05: 14:04. 671332206  0000 UTC m= 87949.349319948 ?    ?    
I0920 05:14:12.703039 1 controller. 去。 161] cert-manager/controller/certificates-readiness "msg"="重新排隊 item due to optimistic locking on resource" "key"="sandbox/service2-certificate" "error"="Operation cannot be fulfilled on certificates. cert-manager. io "service2-certificate"。  the object has been modified。  請 應用 你的 變化 到 the latest version and try again"?    ?    
I0920 05:14:12.703896 1 conditions. 去。 190] 發現 狀態 變化 為 Certificate "service2-certificate" condition "Ready":  "True" -> "False"。  設定 lastTransitionTime to 2021-09-20 05: 14:12. 7038803  0000 UTC m= 87957.381868045[/span]。?    ?    
I0920 05:14:12.749502 1 controller。 去。 161] cert-manager/controller/certificates-readiness "msg"="重新排隊 item due to optimistic locking on resource" "key"="sandbox/service1-certificate" "error"="Operation ="Operation cannot be fulfilled on certificates. cert-manager. io "service1-certificate"。  the object has been modified;  請 應用 你的 變化 到 the latest version and try again"?    ?    
I0920 05:14:12.750096 1 conditions. 去。 190] 發現 狀態 變化 為 Certificate "service1-certificate" condition "Ready":  "True" -> "False"。  設定 lastTransitionTime to 2021-09-20 05: 14:12. 750082572  0000 UTC[/span]m= 87957.428070303?    
I0920 05:14:13.009032 1 controller. 去。 161] cert-manager/controller/certificates-key-manager "msg"="重新排隊 item due to optimistic locking on resource   string">resource" "key"="sandbox/service1-certificate" "error"="Operation="Operation cannot be fulfilled on certificates. cert-manager. io "service1-certificate"。  the object has been modified;  請 應用 你的 變化 到 the latest version and try again"?    
I0920 05:14:13.117843 1 controller. 去。 161] cert-manager/controller/certificates-readiness "msg"="重新排隊 item due to optimistic locking on resource" "key"="sandbox/service2-certificate" "error"="Operation cannot be fulfilled on certificates。 cert-manager. io "service2-certificate"。  the object has been modified。  請 應用 你的 變化 到 the latest version and try again"?    
I0920 05:14:13.119366 1 conditions. 去。 190] 發現 狀態 變化 為 Certificate "service2-certificate" condition "Ready":  "True" -> "False"。  設定 lastTransitionTime to 2021-09-20 05: 14:13. 119351795  0000 UTC m= 87957.797339520 ?    
I0920 05:14:13.122820 1 controller. 去。 161] cert-manager/controller/certificates-key-manager "msg"="重新排隊 item due to optimistic locking on resource" "key"="sandboxservice2-certificate" "error"="Operation cannot be fulfilled on certificates. cert-manager. io "服務-證書"。  the object has been modified。  請 應用 你的 變化 到 the latest version and try again"?    
I0920 05:14:13.123907 1 conditions. 去。 261] 設定 lastTransitionTime for CertificateRequest "service2-certificate-t92qh" condition "Approved" to 2021-09-20 05。 14:13. 123896104  0000 UTC m= 87957.801883833 
I0920 05:14:13.248082 1 conditions. 去。 261] 設定 lastTransitionTime for CertificateRequest "service1-certificate-p9stz" condition "Approved" to 2021-09-20 05。 14:13. 248071551  0000 UTC m= 87957.926059296 
I0920 05:14:13.253488 1 conditions. 去。 261] 設定 lastTransitionTime 對于 CertificateRequest "serivce2-certificate-t92qh" condition "Ready" to 2021-09-20 05。 14:13. 253474153  0000 UTC m= 87957.931461871 
I0920 05:14:13.388001 1 conditions. 去。 261] 設定 lastTransitionTime for CertificateRequest "service1-certificate-p9stz" condition "Ready" to 2021-09-20 05。 14:13. 387983783  0000 UTC m= 87958.065971525。?

uj5u.com熱心網友回復：

簡短的回答

根據你提供的日志和證書的細節，可以說它在按預期作業。

請注意您證書中的revision: 5，這意味著該證書已經被更新了4次。如果你現在去看，這將是6或7，因為證書每12小時更新一次。

日志

第一件事是cert-manager pod中的錯誤資訊，這可能真的令人困惑。這主要是一些嘈雜的資訊，本身并沒有什么幫助。

請參閱這里Github 問題評論和這里github 問題 3667。

如果真的需要日志，應該在cert-manager部署中把args設定為--v=5，從而提高verbosity級別。要編輯一個部署，請運行以下命令：

kubectl edit deploy cert-manager n cert-manager

如何檢查證書/秘訣

當證書被更新時，秘密和證書的年齡不會改變，但內容會被編輯，例如secret中的resourceVersion和證書中的revision。

下面是檢查證書是否被更新的選項：

通過獲取更新前后yaml中的秘密來檢查：

kubectl get secret example-certificate o yaml >  secret-before

然后在它們之間運行diff。我們將看到tls.crt以及resourceVersion被更新。

查看證書revision和dates的狀態。 (我將持續時間設定為最小可能的1h和 renewBefore 55m，所以它每5分鐘更新一次）：

 $ kubectl get cert example-cert o yaml
 notAfter: "2021-09-21T14:05:24Z"/span>
 notBefore: "2021-09-21T13:05:24Z"/span>
 renewalTime: "2021-09-21T13:10:24Z"/span>
 revision: 7

檢查部署證書/密碼的命名空間中的事件：

$ kubectl get events
117s Normal Issuing certificate/example-cert 該證書已被成功頒發的證書。
117s Normal Reused certificate/example-cert Reusing private key stored in existing Secret resource "example-staging-certificate" 
6m57s Normal Issuing certificate/example-cert Renewing certificate as renewal was scheduled at 2021-09-21 13: 00:24  0000 UTC
6m57s Normal Requested certificate/example-certif Created string">Created new CertificateRequest resource the example-cert-bs8g6"
117s Normal Issuing certificate/example-certif Renewing certificatecertificate as renewal was scheduled at 2021-09-21 13: 05:24  0000 UTC[/span]。
117s Normal Requested certificate/example-cert Created new string">new CertificateRequest resource "example-cert-7x8cf" UTC

看一下certificaterequests：

$ kubectl get certiferequests
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
example-cert-2pxdd True True ca-issuer system: serviceaccount:cert-manager:cert-manager 14m
example-cert-54zzc True True ca-issuer system: serviceaccount:cert-manager:cert-manager 4m29s
example-cert-8vjcm True True ca-issuer system: serviceaccount:cert-manager:cert-manager 9m29s

檢查cert-manager pod中的日志，看到四個階段：

I0921 12：45：24。 000726 1 trigger_controller. 去。 181] cert-manager/controller/certificates-trigger "msg"="證書 must be re-issued" "key"="default/example- cert" "message"="Renewing certificate as renewal string">renewal was scheduled at 2021-09-21 12: 45:24  0000 UTC" "原因"="更新"
I0921 12:45:24.000761 1 conditions. 去。 201] 設定 lastTransitionTime for Certificate "example-cert" condition "Issuing" to 2021-09-21 12: 45:24. 000756621  0000 UTC[/span> m= 72341.194879378[/span>] 。
I0921 12:45:24.120503 1 conditions. 去。 261] 設定 lastTransitionTime 對于 CertificateRequest "example-cert-mxvbm" condition "Approved"/span> to 2021-09-21 12: 45:24. 12049391  0000 UTC m= 72341.314616684
I0921 12:45:24.154092 1 conditions. 去。 261] 設定 lastTransitionTime 對于 CertificateRequest "example-cert-mxvbm" condition "Ready"/span> to 2021-09-21 12: 45:24. 154081971  0000 UTC m= 72341.348204734。

注意事項

非常重要的是，并不是所有的發行商都支持duration和renewBefore標志。例如，letsencrypt仍然不能使用它，并且有90個默認天數。

Refence.

轉載請註明出處，本文鏈接：https://www.uj5u.com/qukuanlian/333040.html

標籤：

上一篇：當kubernetes中沒有指定資源時，默認分配是什么？

下一篇：PowerShell不洗掉換行符