k apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt의 프로덕션 서버 URL
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
# 인증서 비밀키를 저장할 Secret
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # 리다이렉트를 활성화하는 어노테이션
cert-manager.io/cluster-issuer: "letsencrypt-prod" # ClusterIssuer 참조
spec:
tls:
- hosts:
- yourdomain.com
secretName: yourdomain-tls # TLS 인증서를 저장할 Secret
rules:
- host: yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-service-name
port:
number: 80
다음 crd들을 통해 발급되는 certificate에 대한 확인을 해볼수 있음
- certificaterequests : issuer로부터 X.509 인증서를 요청하는데 사용되는 자원이다.
- order : signed TLS 인증서에 대한 ACME 주문의 전체 사이클을 관리하는 자원이다.
- certificate : 실제 유지되고 보존되어질 certificate
k get certificaterequests -n ingresstest
>>>
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
sample-dude-cert-lwzbw True True letsencrypt-nginx system:serviceaccount:cert-manager:cert-manager 100s
실제 describe를 통해 확인해보면 다음과 같은 event가 수행되었음을 확인 할 수 있음
k describe certificaterequests -n ingresstest >> ... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal WaitingForApproval 119s cert-manager-certificaterequests-issuer-venafi Not signing CertificateRequest until it is Approved Normal WaitingForApproval 119s cert-manager-certificaterequests-issuer-selfsigned Not signing CertificateRequest until it is Approved Normal WaitingForApproval 119s cert-manager-certificaterequests-issuer-vault Not signing CertificateRequest until it is Approved Normal WaitingForApproval 119s cert-manager-certificaterequests-issuer-acme Not signing CertificateRequest until it is Approved Normal WaitingForApproval 119s cert-manager-certificaterequests-issuer-ca Not signing CertificateRequest until it is Approved Normal cert-manager.io 119s cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io Normal OrderCreated 119s cert-manager-certificaterequests-issuer-acme Created Order resource ingresstest/sample-dude-cert-lwzbw-1977632583 Normal CertificateIssued 92s cert-manager-certificaterequests-issuer-acme Certificate fetched from issuer successfully
k get order -n ingresstest
NAME STATE AGE
sample-dude-cert-lwzbw-1977632583 valid 2m48s
## 발급된 certificate정보
k get certificate -n ingresstest
NAME READY SECRET AGE
sample-dude-cert True sample-jacobbaek-cert 2m38s
갱신 시점
k get certificate -n ingresstest -o jsonpath='{.items[0].status}' | jq
>>>
{
"conditions": [
{
"lastTransitionTime": "2023-02-13T14:00:40Z",
"message": "Certificate is up to date and has not expired",
"observedGeneration": 1,
"reason": "Ready",
"status": "True",
"type": "Ready"
}
],
"notAfter": "2023-05-14T13:00:38Z",
"notBefore": "2023-02-13T13:00:39Z",
"renewalTime": "2023-04-14T13:00:38Z",
"revision": 1
}
실제 생성된 cert 파일을 openssl을 통해 확인해보면
다음과 같이 Let's Encrypt에서 발행한 sample.dude.com 도메인임을 확인 할 수 있다.
k get secret sample-dude-cert -n ingresstest -o jsonpath='{.data.tls\.crt}' | base64 -d > dude.crt
openssl x509 -noout -text -in dude.crt | grep CN
Issuer: C = US, O = Let's Encrypt, CN = R3
Subject: CN = sample.dude.com