{"id":1150,"date":"2021-01-22T18:12:08","date_gmt":"2021-01-22T10:12:08","guid":{"rendered":"http:\/\/blog.axqd.net\/?p=1150"},"modified":"2021-01-22T18:12:08","modified_gmt":"2021-01-22T10:12:08","slug":"private-ca-for-mtls-with-cert-manager","status":"publish","type":"post","link":"https:\/\/blog.axqd.net\/?p=1150","title":{"rendered":"Private CA for mTLS with cert-manager"},"content":{"rendered":"\n<p>\u7b2c\u4e00\u6b65\uff0c\u5b89\u88c5cert-manager\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/cert-manager.io\/docs\/installation\/kubernetes\/\">https:\/\/cert-manager.io\/docs\/installation\/kubernetes\/<\/a><\/p>\n\n\n\n<p>\u7b2c\u4e8c\u6b65\uff0c\u5b89\u88c5\u81ea\u7b7e\u540dClusterIssuer\uff08\u6240\u6709Namespace\u5171\u7528\uff09:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: FooBarSelfSign\nspec:\n  selfSigned: {}<\/code><\/pre>\n\n\n\n<p>\u7b2c\u4e09\u6b65\uff0c\u7b7e\u53d1CA\u8bc1\u4e66\uff08Application Namespace\u81ea\u7528\uff09\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: cert-manager.io\/v1alpha2\nkind: Certificate\nmetadata:\n name: FooBarCACertificate\nspec:\n secretName: FooBarCACertificate\n isCA: true\n issuerRef:\n   name: FooBarSelfSign\n   kind: ClusterIssuer\n commonName: \"FooBar CA\"<\/code><\/pre>\n\n\n\n<p>\u7b2c\u56db\u6b65\uff0c\u5b89\u88c5CA\uff08Application Namespace\u81ea\u7528\uff09\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: cert-manager.io\/v1alpha2\nkind: Issuer\nmetadata:\n name: FooBarCA\nspec:\n ca:\n   secretName: FooBarCACertificate<\/code><\/pre>\n\n\n\n<p>\u7b2c\u4e94\u6b65\uff0c\u751f\u6210\u968f\u673aJKS\u5bc6\u7801\uff08Application Namespace\u81ea\u7528\uff09\uff1a<\/p>\n\n\n\n<p>NOTE\uff1a\u5982\u679c\u4e0d\u9700\u8981JKS\u53ef\u4ee5\u7701\u7565\u8fd9\u6b65\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: v1\nkind: Secret\nmetadata:\n  name: FooBarJKSPassword\ndata:\n  Password: {{ uuidv4 | b64enc }}<\/code><\/pre>\n\n\n\n<p>\u7b2c\u516d\u6b65\uff0c\u4f7f\u7528CA\u7b7e\u53d1Application\u8bc1\u4e66\uff08Application Namespace\u81ea\u7528\uff09\uff1a<\/p>\n\n\n\n<p>NOTE\uff1a\u5982\u679c\u4e0d\u9700\u8981JKS\uff0c\u53ef\u4ee5\u7701\u7565<code>keystores<\/code>\u7684\u90e8\u5206<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>---\napiVersion: cert-manager.io\/v1alpha2\nkind: Certificate\nmetadata:\n  name: FooBarServerCertificate\nspec:\n  secretName: FooBarServerCertificate\n  duration: 2160h # 90d\n  renewBefore: 360h # 15d\n  keySize: 2048\n  keyAlgorithm: rsa\n  keyEncoding: pkcs1\n  commonName: server.foobar.com\n  keystores:\n    jks:\n      create: true\n      passwordSecretRef:\n        name: FooBarJKSPassword\n        key: Password\n  issuerRef:\n    name: FooBarCA\n    kind: Issuer\n    group: cert-manager.io\n---\napiVersion: cert-manager.io\/v1alpha2\nkind: Certificate\nmetadata:\n  name: FooBarClientCertificate\nspec:\n  secretName: FooBarClientCertificate\n  duration: 2160h # 90d\n  renewBefore: 360h # 15d\n  keySize: 2048\n  keyAlgorithm: rsa\n  keyEncoding: pkcs1\n  commonName: \"FooBar Client\"\n  keystores:\n    jks:\n      create: true\n      passwordSecretRef:\n        name: FooBarJKSPassword\n        key: Password\n  issuerRef:\n    name: FooBarCA\n    kind: Issuer\n    group: cert-manager.io<\/code><\/pre>\n\n\n\n<p>\u751f\u6210\u7684<code>FooBarServerCertificate<\/code> \u548c <code>FooBarClientCertificate<\/code>\u5305\u542b\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>tls.key &#8211; \u8bc1\u4e66\u79c1\u94a5<\/li><li>tls.crt &#8211; \u8bc1\u4e66<\/li><li>ca.crt &#8211; CA\u8bc1\u4e66<\/li><li>keystore.jks<\/li><li>truststore.jks<\/li><\/ul>\n\n\n\n<p>\u7b2c\u4e03\u6b65\uff0c\u5b89\u88c5\u7b7e\u53d1\u7684\u8bc1\u4e66\u5230\u5e94\u7528\uff1a<\/p>\n\n\n\n<p>\u793a\u4f8b1 &#8211; Server Deployment:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: FooBarServer\nspec:\n  template:\n    spec:\n      containers:\n        - name: FooBarServer\n          volumeMounts:\n            - name: tls\n              mountPath: \/var\/ssl\/private\n              readOnly: true\n      volumes:\n        - name: tls\n          secret:\n            secretName: FooBarServerCertificate\n            items:\n              - key: truststore.jks\n                path: foobar-truststore.jks\n              - key: keystore.jks\n                path: foobar-keystore.jks\n...<\/code><\/pre>\n\n\n\n<p>\u793a\u4f8b2 &#8211; Ingress Client:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: networking.k8s.io\/v1beta1\nkind: Ingress\nmetadata:\n  name: FooBarIngress\n  annotations:\n    kubernetes.io\/ingress.class: nginx\n\n    # enable mTLS for frontend\n    nginx.ingress.kubernetes.io\/auth-tls-verify-client: \"on\"\n    nginx.ingress.kubernetes.io\/auth-tls-verify-depth: 2\n    nginx.ingress.kubernetes.io\/auth-tls-pass-certificate-to-upstream: \"false\"\n    # read the ca.crt part of the certificate\n    nginx.ingress.kubernetes.io\/auth-tls-secret: &lt;another certificate for frontend>\n    \n    # enable mTLS for backend\n    nginx.ingress.kubernetes.io\/proxy-ssl-verify: \"on\"\n    nginx.ingress.kubernetes.io\/proxy-ssl-secret: FooBarClientCertificate\nspec:\n  rules:\n    - host: server.foobar.com\n      http:\n        paths:\n          - path: \/xxx\n            backend:\n              serviceName: FooBarAppService\n              servicePort: xxx\n  tls:\n    - hosts:\n        - server.foobar.com\n      # read the tls.key and tls.crt parts of the certificate\n      secretName: &lt;another certificate for frontend>\n...<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u7b2c\u4e00\u6b65\uff0c\u5b89\u88c5cert-manager\uff1a https:\/\/cert-manager.io\/docs\/instal &hellip; <a href=\"https:\/\/blog.axqd.net\/?p=1150\" class=\"more-link\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">\u201cPrivate CA for mTLS with cert-manager\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[208,206,209,210],"class_list":["post-1150","post","type-post","status-publish","format-standard","hentry","category-tech","tag-cert-manager","tag-kubernetes","tag-mtls","tag-nginx-ingress-controller"],"_links":{"self":[{"href":"https:\/\/blog.axqd.net\/index.php?rest_route=\/wp\/v2\/posts\/1150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.axqd.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.axqd.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.axqd.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.axqd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1150"}],"version-history":[{"count":3,"href":"https:\/\/blog.axqd.net\/index.php?rest_route=\/wp\/v2\/posts\/1150\/revisions"}],"predecessor-version":[{"id":1153,"href":"https:\/\/blog.axqd.net\/index.php?rest_route=\/wp\/v2\/posts\/1150\/revisions\/1153"}],"wp:attachment":[{"href":"https:\/\/blog.axqd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.axqd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.axqd.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}