概述
在多 Kubernetes 集群环境中,采用泛域名证书管理是一种有效策略。通过申请一个泛域名证书,你能够为同一根域名下的多个子域名提供安全的通信。使用泛域名证书(Wildcard Certificate)和 HashiCorp Vault 对于在多个 Kubernetes 集群中有效地管理证书是一个有效的策略。
下面是一个简单的流程概述:
- 申请泛域名证书: 你只需为同一根域名申请一个泛域名证书,该证书可以用于覆盖多个子域名。这可以减少证书的数量和管理成本。
- 保存证书到 Vault KV 引擎: 将证书保存到 HashiCorp Vault 中的 Key-Value 引擎。Vault 可以用作安全的中央存储,确保证书的安全性。
- 将证书分发到各个 Kubernetes 集群的 master 节点的 /etc/ssl/ 目录。
- 在每个集群中使用/etc/ssl/ 目录的证书文件生成 Kubernetes Secret
Demo示例
项目 | 服务提供商 | 用途/环境 | 备注 |
云服务账号 | AWS | 通用 | 云主机 |
域名 | xx云 | 安全环境 | onwalk.net |
云DNS服务 | 阿里云 | 域名解析 | 使用xx云的SaaS服务 |
配置仓库
- IAC_code: https://github.com/svc-design/iac_modules.git
- Playbook:https://github.com/svc-design/playbook.git
- PipeLine : https://github.com/open-source-solution-design/Modern-Container-Application-Reference-Architecture.git
部署vault server
以K3S部署环境,使用 onwalk.net 为例,提前申请好的SSL证书放入部署vault server 环境的节点:
- /etc/ssl/onwalk.net.key
- /etc/ssl/onwalk.net.pem
执行shell命令,使用 helm 完成 vault server 的部署
cat > vaules.yaml << EOF
server:
ingress:
enabled: true
ingressClassName: "nginx"
hosts:
- host: vault.onwalk.net
paths:
- /
tls:
- secretName: vault-tls
hosts:
- vault.onwalk.net
EOF
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo up
kubectl create ns vault || echo true
kubectl create secret tls vault-tls --key=/etc/ssl/onwalk.net.key --cert=/etc/ssl/onwalk.net.pem -n vault
helm upgrade --install vault-server hashicorp/vault -n vault --create-namespace -f vaules.yaml
初始化 vault server
1.Vault部署完成后,需要对Vault服务进行初始化, 执行命令
kubectl exec -t -i vault-server-0 -n vault -- sh -c "vault operator init -key-shares=5 -key-threshold=3"
2.记录下返回的密钥, 需要严格私密保存,建议多人分开保存(下面示例key已经作废)
Unseal Key 1: jHeA/olf6URrxshlYqceyuRy8NMx8ICVWaolxfSnRvi+
Unseal Key 2: iAozcZmwczQpkoRwWUm7UO2yi2Ou0dtmsWREyXGaqiIH
Unseal Key 3: 28XG9Gmk/GN3rBJtNhK97dmlLY9jWO9VINAFY+d4lJZe
Unseal Key 4: U4/sW5k+FkIrgnHdBxZUnlg+SU7VRArKkb2Yfjx3qBjz
Unseal Key 5: LN3bp6kkwkeoYCoE7DZ7Y7QQCZPQ7N6NjsIo2PquwgUD
Initial Root Token: s.KJmwUJcHJMF6cUNwhJQpAaAY
当vault服务启动时,它开始是密封(sealed)的状态,需要使用Unseal Key 1-5中的任意3个进行解封(Unsealing )操作,解封后才能vault进行交互。例如认证、管理挂载表,读取等,
3.解封操作,执行命令: kubectl exec -t -i vault-server-0 -n vault -- sh
- 第一次解封:vault operator unseal jHeA/olf6URrxshlYqceyuRy8NMx8ICVWaolxfSnRvi+
- 第二次解封:vault operator unseal iAozcZmwczQpkoRwWUm7UO2yi2Ou0dtmsWREyXGaqiIH
- 第三次解封:vault operator unseal U4/sW5k+FkIrgnHdBxZUnlg+SU7VRArKkb2Yfjx3qBjz
- 此时检查vault 服务运行状态,执行命令: kubectl get pods -n vault
NAME READY STATUS RESTARTS AGE
vault-server-agent-injector-59bd55cb5f-kdcr4 1/1 Running 0 25m
vault-server-0 1/1 Running 0 17m
- 登陆Vault UI,确认服务可用
使用 CI pipeline 管理证书
创建一个 GitHub Actions pipeline
使用 ACME 协议从 Let's Encrypt 申请证书,并将结果保存在 Vault Server 中,然后应用集群配置 CertManager 以从 Vault 读取证书,你可以按照以下步骤构建你的 workflow:
- 创建 GitHub Repository Secret:
- 在你的 GitHub 仓库中,添加必要的 Secrets,比如
VAULT_TOKEN
和VAULT_URL
,以安全地与 Vault 交互。
- 设置 GitHub Actions Workflow:
- 在你的 GitHub 仓库中创建一个
.github/workflows
目录。 - 创建一个新的 YAML 文件,比如
cert-renewal.yml
。
- 编写 Workflow:
- 使用适当的 runner(例如
ubuntu-latest
)。 - 确保你有 ACME 客户端,比如 Certbot,安装在 runner 上。
- 编写步骤以使用 ACME 协议申请证书。
- 申请 Let's Encrypt 证书并保存到 Vault
示例 cert-renewal.yml
:
open-source-solution-design/Modern-Container-Application-Reference-Architecture/.github/workflows/cert-renewal.yml
name: Renew SSL Certs
on:
pull_request:
push:
paths:
- '.github/workflows/app-pipeline-renew-ssl-cert.yml'
workflow_dispatch:
branches:
- main
schedule:
- cron: '0 0 1 */2 *' # 每两个月的第一天执行
jobs:
renew-ssl-certs:
uses: open-source-solution-design/Modern-Container-Application-Reference-Architecture/.github/workflows/use-renew-ssl-certs.yml@main
with:
domain: 'onwalk.net'
secrets:
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
open-source-solution-design/Modern-Container-Application-Reference-Architecture/.github/workflows/use-renew-ssl-certs.yml
name: Workflow Call Renew SSL Certs
on:
workflow_call:
inputs:
domain:
required: true
type: string
secrets:
DNS_AK:
required: true
DNS_SK:
required: true
VAULT_URL:
required: true
VAULT_TOKEN:
required: true
jobs:
renew-ssl-certs:
runs-on: ubuntu-latest
env:
DOMAIN: ${{ inputs.domain }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
submodules: 'recursive'
- name: Pre Setup
run: |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install vault -y
- name: Renew SSL Cert
run: |
set -x
# 检查参数是否为空
check_not_empty() {
if [[ -z $1 ]]; then
echo "Error: $2 is empty. Please provide a value."
exit 1
fi
}
# 检查参数是否为空
check_not_empty "$DNS_AK" "DNS_AK" && export Ali_Key=$DNS_AK
check_not_empty "$DNS_SK" "DNS_SK" && export Ali_Secret=$DNS_SK
check_not_empty "$VAULT_URL" "VAULT_URL"
rm -fv ${DOMAIN}.key ${DOMAIN}.pem -f
rm -fv /etc/ssl/${DOMAIN}.* -f
# Try to issue a certificate from ZeroSSL. If it fails, try Let's Encrypt.
curl https://get.acme.sh | sh -s email=156405189@qq.com
sh ~/.acme.sh/acme.sh --set-default-ca --server zerossl --issue --force --dns dns_ali -d ${DOMAIN} -d "*.${DOMAIN}"
if [ $? -eq 0 ]; then
echo "Certificate from letsencrypt successfully issued"
else
sh ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --issue --force --dns dns_ali -d ${DOMAIN} -d "*.${DOMAIN}"
if [ $? -eq 0 ]; then
echo "Certificate from zerossl successfully issued"
else
echo "Command failed"
exit 1
fi
fi
cat ~/.acme.sh/${DOMAIN}_ecc/${DOMAIN}.cer > ${DOMAIN}.pem
cat ~/.acme.sh/${DOMAIN}_ecc/ca.cer >> ${DOMAIN}.pem
cat ~/.acme.sh/${DOMAIN}_ecc/${DOMAIN}.key > ${DOMAIN}.key
sudo cp ${DOMAIN}.pem /etc/ssl/ -f && sudo cp ${DOMAIN}.key /etc/ssl/ -f
- name: Write certificate into Vault Server
run: |
export VAULT_ADDR=${VAULT_URL}
export CERT_PATH="certs/${DOMAIN}"
# Write Certificate and Private Key to Vault
vault login ${VAULT_TOKEN}
vault secrets enable -path=certs kv || true
vault kv put ${CERT_PATH} \
certificate=@/etc/ssl/${DOMAIN}.pem \
private_key=@/etc/ssl/${DOMAIN}.key
echo "Certificate and private key written to Vault at path: ${CERT_PATH}"
至此,已经完成SSL Certs 申请的自动化,每两个月执行一次,确保Vault中永远存储有效的证书。
流水线执行成功后,登录 Vault UI 已经看到域名证书已经保存
应用集群侧配置
将证书分到到应用集群中
接下来的的工作就是,如何在IAC流水线中,集成Vault 操作,读取域名证书并写入集群master节点 /etc/ssl/ 目录
- playbook/roles/cert-manager/tasks/main.yml
- name: Fetch Certificate and Private Key from Vault
script: files/get_certificate.sh {{ domain }} {{ vault_url }} {{ vault_token }}
when: (inventory_hostname in groups[group]) and (vault == true)
- playbook/roles/cert-manager/files/get_certificate.sh
#!/bin/bash
sudo apt-get update
sudo apt install -y software-properties-common
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null
sudo apt-get update
sudo apt-get install -y python3-pip jq vault
check_empty() {
if [ -z "$1" ]; then
echo "$2"
exit 1
fi
}
check_empty "$1" "Please provide DOMAIN" && DOMAIN=$1
check_empty "$2" "Please provide VAULT_ADDR" && VAULT_ADDR=$2
check_empty "$3" "Please provide VAULT_TOKEN" && VAULT_TOKEN=$3
SECRET_PATH="certs/$DOMAIN"
# Output paths
CERTIFICATE_PATH="/etc/ssl/${DOMAIN}.pem"
PRIVATE_KEY_PATH="/etc/ssl/${DOMAIN}.key"
vault login
# Read certificate from Vault
vault kv get -field=certificate certs/${DOMAIN} > "$CERTIFICATE_PATH"
# Read private key from Vault
vault kv get -field=private_key certs/${DOMAIN} > "$PRIVATE_KEY_PATH"
# Set permissions for the private key (modify as needed)
chmod 600 "$PRIVATE_KEY_PATH"
# Check if certificate and private key files are non-empty
if [ ! -s "$CERTIFICATE_PATH" ] || [ ! -s "$PRIVATE_KEY_PATH" ]; then
echo "Certificate or private key is empty. Exiting..."
exit 1
else
echo "Certificate and private key have been written to $CERTIFICATE_PATH and $PRIVATE_KEY_PATH"
验证 SSL 证书
登陆节点,执行命令:cat /etc/ssl/<domain_name>.* 验证分发的证书
验证 Secret
可以使用以下命令检查 Secret:
kubectl get secret my-cert-secret -o yaml
最后使用Curl 命令验证使用和证书的服务或者API接口否生效
curl https://your_svc.com
总结
通过以上步骤,你可以建立一个自动化流程,通过 GitHub Actions 自动续订 Let's Encrypt 证书,将其存储在 Vault 中,并更新 Kubernetes 集群的 CertManager 配置以使用这些证书。请注意,这里的示例可能需要根据你的环境和需求进行调整。在部署到生产环境之前,请确保对配置进行充分测试。