我正在与 cert-manager 和 kong-ingress-controller 合作,在 kubernetes 中启用 https。
我有兴趣弄清楚当我只使用 ClusterIssuer
以及我们使用入口资源时默认生成的证书时,续订过程是如何的。
我没有使用 kind: Certificate
资源,这意味着我没有定义要签名的 X.509 自定义证书并获取通过引用我的 ClusterIssuer 验证的证书
.
目前,我已经创建了一个 ClusterIssuer
和一个入口资源,它会自动创建一个名为 letsencrypt-prod
的证书,该证书将用于执行
验证cert-manager
和 Letsencrypt CA 之间的 http01
最后,我有这样的输出:
I0321 10:49:48.505664 1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-prod'
I0321 10:49:48.506008 1 conditions.go:143] Found status change for Certificate "letsencrypt-prod" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-03-21 10:49:48.506003434 +0000 UTC m=+168443.026129945
I0321 10:49:48.506571 1 sync.go:263] Certificate default/letsencrypt-prod scheduled for renewal in 1438h59m58.49343646s
I0321 13:57:46.226424 1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-prod"
I0321 15:12:53.199067 1 controller.go:178] ingress-shim controller: syncing item 'default/kong-ingress-service'
I0321 15:12:53.199171 1 sync.go:183] Certificate "letsencrypt-prod" for ingress "kong-ingress-service" is up to date
这意味着我的证书将在 1438h-59m-58.49343646s 内更新。这意味着大约 3 个月
这意味着,真的会自动刷新吗?
如所示here :
The default duration for all certificates is 90 days and the default renewal windows is 30 days. This means that certificates are considered valid for 3 months and renewal will be attempted within 1 month of expiration.
证书管理器文档说:
Although the duration and renewal periods are specified on the Certificate resources, the corresponding Issuer or ClusterIssuer must support this.
我的集群发行者是:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="583521753d35393134183d20393528343d763b3735" rel="noreferrer noopener nofollow">[email protected]</a>
privateKeySecretRef:
name: letsencrypt-prod
http01: {}
如果我不创建证书资源,如何管理duration
和renewBefore
参数。 ?
据此我可以在 ClusterIssuer 中添加 duration
和 renewBefore
参数吗?也许是这样?
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="96fbefbbf3fbf7fffad6f3eef7fbe6faf3b8f5f9fb" rel="noreferrer noopener nofollow">[email protected]</a>
privateKeySecretRef:
name: letsencrypt-prod
http01: {}
# ...
duration: 24h
renewBefore: 12h
最佳答案
颁发者\集群颁发者不支持此功能,仅在证书上支持。您可以创建一个 admission controllers更改证书,或者您可以使用 cronjob 在创建证书资源后更新它们
关于azure - 证书管理器 - 我的证书的有效期和续订过程,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55358128/