Cert-manager
Automatically provision and manage TLS certificates in Kubernetes.
Installation
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
최신버전 확인해서 URL 수정하자. 참고로 내가 k3s에서 설치했을 때 다음과 같은 로그가 출력되었다:
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
namespace/cert-manager created
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
serviceaccount/cert-manager-cainjector created
serviceaccount/cert-manager created
serviceaccount/cert-manager-webhook created
configmap/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
다음 명령으로 설치된 파드를 확인할 수 있다.
다음과 같이 출력된다:
NAME READY STATUS RESTARTS AGE
cert-manager-7476c8fcf4-p6ndk 1/1 Running 0 4m21s
cert-manager-cainjector-bdd866bd4-r7wmp 1/1 Running 4 (2m22s ago) 4m21s
cert-manager-webhook-5655dcfb4b-d2kzz 1/1 Running 4 (2m22s ago) 4m19s
참고로 다음 명령으로 전체 파드를 확인하면:
다음과 같다:
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system local-path-provisioner-957fdf8bc-jqhnh 1/1 Running 2 (4h22m ago) 4h25m
kube-system helm-install-traefik-crd-w48dv 0/1 Completed 1 4h25m
kube-system helm-install-traefik-58bgc 0/1 Completed 3 4h25m
kube-system svclb-traefik-63314ab5-gfppw 2/2 Running 0 4h20m
cert-manager cert-manager-7476c8fcf4-p6ndk 1/1 Running 0 4m38s
kube-system coredns-77ccd57875-jh9gm 1/1 Running 0 4h25m
kube-system traefik-64f55bb67d-gj8fc 1/1 Running 0 4h20m
cert-manager cert-manager-cainjector-bdd866bd4-r7wmp 1/1 Running 4 (2m39s ago) 4m38s
cert-manager cert-manager-webhook-5655dcfb4b-d2kzz 1/1 Running 4 (2m39s ago) 4m36s
kube-system metrics-server-648b5df564-xm5vs 1/1 Running 3 (2m32s ago) 4h25m
Delete
위의 apply 명령을 delete 로 바꾸면 된다.
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
Pods
- cert-manager
- 인증서를 관리하는 핵심 역할을 합니다. 이것은 Kubernetes 클러스터 내에서 SSL/TLS 인증서를 자동으로 발급, 갱신, 철회하는 작업을 담당합니다.
- cert-manager-cainjector
- CA Injector - cert-manager Documentation
- CA Injector 이다. Kubernetes 내에 인증서를 자동으로 삽입하는 역할을 합니다. 이 포드는 API 서버에서 웹훅을 통해 동적으로 인증서를 주입하는 작업을 수행합니다.
- cert-manager-webhook
- cert-manager와 클러스터 간의 통신을 관리하는 웹훅 서버입니다. 이것은 인증서 발급 시점에 인증서를 검증하고 유효성을 확인하는 작업을 수행합니다. 웹훅은 Kubernetes API 서버와 상호 작용하며 동적인 변환 작업을 수행합니다.
cmctl
cert-manager 의 CLI 명령.
CRDs
cert-manager uses Kubernetes Custom Resources to define the resources which users interact with when using cert-manager, such as Certificates and Issuers.
When changes are made to the CRDs in code, there are a couple of extra steps which are required.