Skip to content

Cert-manager

Automatically provision and manage TLS certificates in Kubernetes.

Installation

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

최신버전 확인해서 URL 수정하자. 참고로 내가 k3s에서 설치했을 때 다음과 같은 로그가 출력되었다:

$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
namespace/cert-manager created
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
serviceaccount/cert-manager-cainjector created
serviceaccount/cert-manager created
serviceaccount/cert-manager-webhook created
configmap/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created

다음 명령으로 설치된 파드를 확인할 수 있다.

kubectl get pods --namespace cert-manager

다음과 같이 출력된다:

NAME                                      READY   STATUS    RESTARTS        AGE
cert-manager-7476c8fcf4-p6ndk             1/1     Running   0               4m21s
cert-manager-cainjector-bdd866bd4-r7wmp   1/1     Running   4 (2m22s ago)   4m21s
cert-manager-webhook-5655dcfb4b-d2kzz     1/1     Running   4 (2m22s ago)   4m19s

참고로 다음 명령으로 전체 파드를 확인하면:

kubectl get pods -A

다음과 같다:

NAMESPACE      NAME                                      READY   STATUS      RESTARTS        AGE
kube-system    local-path-provisioner-957fdf8bc-jqhnh    1/1     Running     2 (4h22m ago)   4h25m
kube-system    helm-install-traefik-crd-w48dv            0/1     Completed   1               4h25m
kube-system    helm-install-traefik-58bgc                0/1     Completed   3               4h25m
kube-system    svclb-traefik-63314ab5-gfppw              2/2     Running     0               4h20m
cert-manager   cert-manager-7476c8fcf4-p6ndk             1/1     Running     0               4m38s
kube-system    coredns-77ccd57875-jh9gm                  1/1     Running     0               4h25m
kube-system    traefik-64f55bb67d-gj8fc                  1/1     Running     0               4h20m
cert-manager   cert-manager-cainjector-bdd866bd4-r7wmp   1/1     Running     4 (2m39s ago)   4m38s
cert-manager   cert-manager-webhook-5655dcfb4b-d2kzz     1/1     Running     4 (2m39s ago)   4m36s
kube-system    metrics-server-648b5df564-xm5vs           1/1     Running     3 (2m32s ago)   4h25m

Delete

위의 apply 명령을 delete 로 바꾸면 된다.

kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

Pods

cert-manager
인증서를 관리하는 핵심 역할을 합니다. 이것은 Kubernetes 클러스터 내에서 SSL/TLS 인증서를 자동으로 발급, 갱신, 철회하는 작업을 담당합니다.
cert-manager-cainjector
CA Injector - cert-manager Documentation
CA Injector 이다. Kubernetes 내에 인증서를 자동으로 삽입하는 역할을 합니다. 이 포드는 API 서버에서 웹훅을 통해 동적으로 인증서를 주입하는 작업을 수행합니다.
cert-manager-webhook
cert-manager와 클러스터 간의 통신을 관리하는 웹훅 서버입니다. 이것은 인증서 발급 시점에 인증서를 검증하고 유효성을 확인하는 작업을 수행합니다. 웹훅은 Kubernetes API 서버와 상호 작용하며 동적인 변환 작업을 수행합니다.

cmctl

cert-manager 의 CLI 명령.

CRDs

cert-manager uses Kubernetes Custom Resources to define the resources which users interact with when using cert-manager, such as Certificates and Issuers.

When changes are made to the CRDs in code, there are a couple of extra steps which are required.

See also

Favorite