U1.52 Ubuntu Quick Start (QS): RabbitMq Kubernetes cluster with cert manager - chempkovsky/CS2WPF-and-CS2XAMARIN GitHub Wiki
- read the article Welcome to cert-manager
- read the article Installing cert-manager with regular manifests
- we continue to work with the Kubernetes cluster prepared in the article
- and in the article
- go to cert-manager releases
- click latest.
- In our case it is v1.6.1
- copy link for cert-manager.yaml
- In our case it is
https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
- In our case it is
- click latest.
- for u2004s01
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
-
read the article Secrets
-
read the article Service account token Secrets
-
for u2004s01
yury@u2004s01:~$ kubectl get serviceaccounts -n cert-manager
NAME SECRETS AGE
cert-manager 1 7m50s
cert-manager-cainjector 1 7m50s
cert-manager-webhook 1 7m50s
default 1 7m50s
yury@u2004s01:~$ kubectl get secrets -n cert-manager -o wide
NAME TYPE DATA AGE
cert-manager-cainjector-token-x6btb kubernetes.io/service-account-token 3 2m22s
cert-manager-token-rwd2z kubernetes.io/service-account-token 3 2m22s
cert-manager-webhook-ca Opaque 3 112s
cert-manager-webhook-token-8m5wq kubernetes.io/service-account-token 3 2m22s
default-token-zlbdv kubernetes.io/service-account-token 3 2m22s
- for u2004s01
kubectl get secret cert-manager-cainjector-token-x6btb -n cert-manager -o yaml > cert-manager-cainjector-token-x6btb.yaml
kubectl get secret cert-manager-token-rwd2z -n cert-manager -o yaml > cert-manager-token-rwd2z.yaml
kubectl get secret cert-manager-webhook-ca -n cert-manager -o yaml > cert-manager-webhook-ca.yaml
kubectl get secret cert-manager-webhook-token-8m5wq -n cert-manager -o yaml > cert-manager-webhook-token-8m5wq.yaml
kubectl get secret cert-manager-cainjector-token-x6btb -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > cert-manager-cainjector-token-x6btb.crt
kubectl get secret cert-manager-token-rwd2z -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > cert-manager-token-rwd2z.crt
kubectl get secret cert-manager-webhook-ca -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > cert-manager-webhook-ca.crt
kubectl get secret cert-manager-webhook-token-8m5wq -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > cert-manager-webhook-token-8m5wq.crt
cat cert-manager-webhook-ca.crt
cat cert-manager-webhook-token-8m5wq.crt
cat cert-manager-token-rwd2z.crt
cat cert-manager-cainjector-token-x6btb.crt
cat /etc/kubernetes/pki/ca.crt
- Note: cert-manager-webhook-token-8m5wq.crt == cert-manager-token-rwd2z.crt == cert-manager-cainjector-token-x6btb.crt = /etc/kubernetes/pki/ca.crt
- read the article Certificate Management with kubeadm
- read the article Webhook
- for u2004s01
yury@u2004s01:~/chck$ openssl x509 -noout -text -in cert-manager-webhook-ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5a:a5:88:a3:4c:61:da:d6:e3:45:4e:ca:cc:60:b9:ef
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN = cert-manager-webhook-ca
Validity
Not Before: Jan 11 13:19:56 2022 GMT
Not After : Jan 11 13:19:56 2023 GMT
Subject: CN = cert-manager-webhook-ca
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:b4:56:87:69:ac:a7:22:5c:0e:9a:3a:7c:4c:53:
81:f0:1d:2b:5b:95:d2:4c:72:ab:62:4b:da:f2:2e:
de:11:e3:50:e1:3b:e4:8a:50:2c:1a:0f:eb:b3:b7:
83:a9:39:91:75:88:ae:0a:03:98:c1:51:15:21:0e:
ca:b8:c8:59:d8:1c:08:9b:e8:f4:b3:e7:80:44:33:
07:91:9e:8f:d4:75:50:60:9c:c7:67:19:7d:c6:b7:
fa:92:3c:fe:98:15:09
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
33:A9:67:22:FA:5C:D3:D0:F6:4F:B4:FA:F5:4F:36:DE:63:8E:21:F2
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:07:e6:c7:3c:0b:da:c7:aa:e0:3e:c3:60:65:f4:
aa:ff:4f:b1:d8:bb:4a:6d:cd:da:24:67:ae:a6:a1:7b:20:46:
ea:47:be:49:94:e8:23:6c:1d:e2:75:c9:55:6c:d7:43:02:30:
40:57:c9:34:dd:66:26:d9:af:a5:51:be:e7:82:5f:9d:28:ff:
74:72:fa:5d:02:18:1a:04:47:b1:28:dc:00:1b:ba:69:85:d7:
42:31:b2:70:74:0c:69:91:f3:83:36:aa
- for u2004s01
rm cert-manager-webhook-ca.crt
rm cert-manager-webhook-token-8m5wq.crt
rm cert-manager-token-rwd2z.crt
rm cert-manager-cainjector-token-x6btb.crt
rm cert-manager-webhook-ca.yaml
rm cert-manager-webhook-token-8m5wq.yaml
rm cert-manager-token-rwd2z.yaml
rm cert-manager-cainjector-token-x6btb.yaml
- the latest version of hello-world-cluster was created in step Recreate RabbitMQ cluster
- to delete hello-world-cluster
- for u2004s01
yury@u2004s01:~$ kubectl delete -f- <<EOF
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: hello-world
namespace: hello-world-cluster-namespace
annotations:
rabbitmq.com/topology-allowed-namespaces: "default,hello-world-queue1-namespace,hello-world-queue2-namespace"
spec:
replicas: 2
tls:
secretName: hello-world-tls-secret
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- u2004s02
- u2004s03
persistence:
storageClassName: second-local-path
storage: 5Gi
resources:
requests:
cpu: 100m
memory: 2Gi
limits:
cpu: 100m
memory: 2Gi
EOF
yury@u2004s01:~$ kubectl delete secret hello-world-tls-secret -n hello-world-cluster-namespace
yury@u2004s01:~$ kubectl get namespace
NAME STATUS AGE
default Active 11d
first-local-path-storage Active 11d
hello-world-cluster-namespace Active 6d19h
kube-node-lease Active 11d
kube-public Active 11d
kube-system Active 11d
portainer Active 11d
second-local-path-storage Active 11d
yury@u2004s01:~$ kubectl delete namespace hello-world-cluster-namespace
- To deploy the hello-world cluster we need hello-world-tls-secret-secret.
- To deploy the hello-world-tls-secret-secret we need CA Issuer
- To deploy the CA Issuer
- we need tls.crt and tls.key. Read the article Deployment
- OR we need SelfSigned Issuer. Read the article Bootstrapping CA Issuers
- To deploy the CA Issuer
- To deploy the hello-world-tls-secret-secret we need CA Issuer
- It is possible to deploy SelfSigned Issuer
- in the same namespace as the hello-world
- in the Cluster Resource Namespace
- for u2004s01
kubectl apply -f- <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}
EOF
yury@u2004s01:~$ kubectl get ClusterIssuer
NAME READY AGE
selfsigned-cluster-issuer True 22s
- for u2004s01
kubectl apply -f- <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: hello-world-cluster-namespace
EOF
yury@u2004s01:~$ kubectl get ns hello-world-cluster-namespace
NAME STATUS AGE
hello-world-cluster-namespace Active 35s
- for u2004s01
kubectl apply -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hello-world-selfsigned-ca
namespace: hello-world-cluster-namespace
spec:
isCA: true
commonName: hello-world-root-cmnm
secretName: hello-world-root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-cluster-issuer
kind: ClusterIssuer
group: cert-manager.io
EOF
yury@u2004s01:~$ kubectl get certificate -n hello-world-cluster-namespace
NAME READY SECRET AGE
hello-world-selfsigned-ca True hello-world-root-secret 12s
- for u2004s01
kubectl apply -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: hello-world-ca-issuer
namespace: hello-world-cluster-namespace
spec:
ca:
secretName: hello-world-root-secret
EOF
yury@u2004s01:~$ kubectl get issuer -n hello-world-cluster-namespace
NAME READY AGE
hello-world-ca-issuer True 29s
- read the article TLS Example
- read the article mTLS Example
- for u2004s01
kubectl apply -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hello-world-tls-certificate
namespace: hello-world-cluster-namespace
spec:
secretName: hello-world-tls-secret
dnsNames:
- "hello-world.hello-world-cluster-namespace.svc.testcluster.local"
- "hello-world-server-0.hello-world-nodes.hello-world-cluster-namespace.svc.testcluster.local"
- "hello-world-server-1.hello-world-nodes.hello-world-cluster-namespace.svc.testcluster.local"
issuerRef:
kind: Issuer
name: hello-world-ca-issuer
group: cert-manager.io
EOF
yury@u2004s01:~$ kubectl get certificate -n hello-world-cluster-namespace
NAME READY SECRET AGE
hello-world-selfsigned-ca True hello-world-root-secret 3m55s
hello-world-tls-certificate True hello-world-tls-secret 14s
- for u2004s01
kubectl apply -f- <<EOF
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: hello-world
namespace: hello-world-cluster-namespace
annotations:
rabbitmq.com/topology-allowed-namespaces: "default,hello-world-queue1-namespace,hello-world-queue2-namespace"
spec:
replicas: 2
tls:
secretName: hello-world-tls-secret
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- u2004s02
- u2004s03
persistence:
storageClassName: second-local-path
storage: 5Gi
resources:
requests:
cpu: 100m
memory: 2Gi
limits:
cpu: 100m
memory: 2Gi
EOF
yury@u2004s01:~$ kubectl get pods -n hello-world-cluster-namespace -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
hello-world-server-0 1/1 Running 0 5m3s 10.32.27.218 u2004s02 <none> <none>
hello-world-server-1 1/1 Running 0 5m3s 10.32.105.45 u2004s03 <none> <none>
- To delete the cluster we have to
kubectl delete -f- <<EOF
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: hello-world
namespace: hello-world-cluster-namespace
annotations:
rabbitmq.com/topology-allowed-namespaces: "default,hello-world-queue1-namespace,hello-world-queue2-namespace"
spec:
replicas: 2
tls:
secretName: hello-world-tls-secret
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- u2004s02
- u2004s03
persistence:
storageClassName: second-local-path
storage: 5Gi
resources:
requests:
cpu: 100m
memory: 2Gi
limits:
cpu: 100m
memory: 2Gi
EOF
kubectl delete -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hello-world-tls-certificate
namespace: hello-world-cluster-namespace
spec:
secretName: hello-world-tls-secret
dnsNames:
- "hello-world.hello-world-cluster-namespace.svc.testcluster.local"
- "hello-world-server-0.hello-world-nodes.hello-world-cluster-namespace.svc.testcluster.local"
- "hello-world-server-1.hello-world-nodes.hello-world-cluster-namespace.svc.testcluster.local"
issuerRef:
kind: Issuer
name: hello-world-ca-issuer
group: cert-manager.io
EOF
- The secret must be deleted with a separate command immediately after the deletion of the Certificate.
yury@u2004s01:~$ kubectl get certificates -n hello-world-cluster-namespace
NAME READY SECRET AGE
hello-world-selfsigned-ca True hello-world-root-secret 36h
yury@u2004s01:~$ kubectl get secrets -n hello-world-cluster-namespace
NAME TYPE DATA AGE
default-token-ngdkh kubernetes.io/service-account-token 3 38h
hello-world-root-secret kubernetes.io/tls 3 36h
hello-world-tls-secret kubernetes.io/tls 3 76s
yury@u2004s01:~$ kubectl delete secret hello-world-tls-secret -n hello-world-cluster-namespace
secret "hello-world-tls-secret" deleted
yury@u2004s01:~$ kubectl get secrets -n hello-world-cluster-namespace
NAME TYPE DATA AGE
default-token-ngdkh kubernetes.io/service-account-token 3 38h
hello-world-root-secret kubernetes.io/tls 3 36h
kubectl delete -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: hello-world-ca-issuer
namespace: hello-world-cluster-namespace
spec:
ca:
secretName: hello-world-root-secret
EOF
kubectl delete -f- <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hello-world-selfsigned-ca
namespace: hello-world-cluster-namespace
spec:
isCA: true
commonName: hello-world-root-cmnm
secretName: hello-world-root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-cluster-issuer
kind: ClusterIssuer
group: cert-manager.io
EOF
yury@u2004s01:~$ kubectl get secret -n hello-world-cluster-namespace
NAME TYPE DATA AGE
default-token-ngdkh kubernetes.io/service-account-token 3 42h
hello-world-root-secret kubernetes.io/tls 3 40h
yury@u2004s01:~$ kubectl delete secret hello-world-root-secret -n hello-world-cluster-namespace
secret "hello-world-root-secret" deleted
yury@u2004s01:~$ kubectl get configmap -n hello-world-cluster-namespace
NAME DATA AGE
kube-root-ca.crt 1 42h
yury@u2004s01:~$ kubectl delete configmap kube-root-ca.crt -n hello-world-cluster-namespace
configmap "kube-root-ca.crt" deleted
yury@u2004s01:~$ kubectl delete -f- <<EOF
> apiVersion: v1
> kind: Namespace
> metadata:
> name: hello-world-cluster-namespace
> EOF
namespace "hello-world-cluster-namespace" deleted
kubectl delete -f- <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}
EOF