Cert-Manager 证书管理实践自动化 TLS 证书前言哥们别整那些花里胡哨的理论。今天直接上硬菜——我在大厂一线使用 Cert-Manager 管理 TLS 证书的真实经验总结。作为一个白天写前端、晚上打鼓的硬核工程师我对证书管理的追求就像对鼓点节奏的把控一样严格。背景最近我们团队需要自动化管理大量的 TLS 证书避免手动操作和证书过期。经过一周的部署和配置我们基于 Cert-Manager 实现了证书的全生命周期管理证书过期风险降低了 100%。今天就把这些干货分享给大家。Cert-Manager 部署1. 安装 Cert-Manager问题如何在 Kubernetes 上安装 Cert-Manager。解决方案直接上代码# 安装 Cert-Manager kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml # 等待部署完成 kubectl wait --forconditionAvailable --timeout300s -n cert-manager deployment/cert-manager kubectl wait --forconditionAvailable --timeout300s -n cert-manager deployment/cert-manager-webhook kubectl wait --forconditionAvailable --timeout300s -n cert-manager deployment/cert-manager-cainjector # 验证安装 kubectl get pods -n cert-manager # 验证 CRD kubectl get crd | grep cert-manager2. 配置 Issuer问题如何配置证书颁发机构。解决方案# Lets Encrypt Staging apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory email: adminexample.com privateKeySecretRef: name: letsencrypt-staging solvers: - http01: ingress: class: nginx --- # Lets Encrypt Production apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: adminexample.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx selector: dnsNames: - *.example.com - dns01: route53: region: us-east-1 hostedZoneID: Z1234567890ABC accessKeyIDSecretRef: name: route53-credentials key: access-key-id secretAccessKeySecretRef: name: route53-credentials key: secret-access-key selector: dnsZones: - example.com证书管理1. 自动签发证书问题如何自动为 Ingress 签发证书。解决方案# 自动证书签发 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: music-app namespace: default annotations: cert-manager.io/cluster-issuer: letsencrypt-prod acme.cert-manager.io/http01-edit-in-place: true spec: ingressClassName: nginx tls: - hosts: - music-app.example.com secretName: music-app-tls rules: - host: music-app.example.com http: paths: - path: / pathType: Prefix backend: service: name: music-app port: number: 802. 手动创建证书问题如何手动创建和管理证书。解决方案# 手动创建证书 apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: music-app-cert namespace: default spec: secretName: music-app-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer dnsNames: - music-app.example.com - api.music-app.example.com - www.music-app.example.com usages: - digital signature - key encipherment - server auth privateKey: algorithm: RSA encoding: PKCS1 size: 2048 renewBefore: 720h duration: 2160h高级特性1. 通配符证书问题如何申请通配符证书。解决方案# 通配符证书 apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-cert namespace: default spec: secretName: wildcard-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer dnsNames: - *.example.com - example.com --- # 使用通配符证书 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: multi-app namespace: default annotations: cert-manager.io/cluster-issuer: letsencrypt-prod spec: ingressClassName: nginx tls: - hosts: - *.example.com secretName: wildcard-tls rules: - host: app1.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80 - host: app2.example.com http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 802. 证书轮换问题如何配置证书自动轮换。解决方案# 证书轮换配置 apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: music-app-cert namespace: default spec: secretName: music-app-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer dnsNames: - music-app.example.com # 在到期前 30 天自动续期 renewBefore: 720h # 证书有效期 90 天 duration: 2160h # 私钥轮换 privateKey: rotationPolicy: Always私有 CA1. 创建私有 CA问题如何创建私有证书颁发机构。解决方案# 创建 CA Issuer apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned-issuer namespace: default spec: selfSigned: {} --- # 创建 CA 证书 apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ca-cert namespace: default spec: isCA: true secretName: ca-secret issuerRef: name: selfsigned-issuer kind: Issuer commonName: My CA subject: organizations: - My Organization --- # 创建 CA Issuer apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ca-issuer namespace: default spec: ca: secretName: ca-secret2. 使用私有 CA问题如何使用私有 CA 签发证书。解决方案# 使用私有 CA 签发证书 apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: internal-cert namespace: default spec: secretName: internal-tls issuerRef: name: ca-issuer kind: Issuer dnsNames: - internal-app.default.svc.cluster.local - internal-app usages: - server auth - client auth监控告警1. 证书过期监控问题如何监控证书过期。解决方案# Prometheus 告警规则 apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: cert-manager-alerts namespace: monitoring spec: groups: - name: cert-manager rules: - alert: CertificateExpiringSoon expr: | certmanager_certificate_expiration_timestamp_seconds - time() 86400 * 7 for: 1h labels: severity: warning annotations: summary: Certificate expiring soon description: Certificate {{ $labels.name }} expires in less than 7 days - alert: CertificateExpired expr: | certmanager_certificate_expiration_timestamp_seconds - time() 0 for: 1h labels: severity: critical annotations: summary: Certificate expired description: Certificate {{ $labels.name }} has expired - alert: CertificateNotReady expr: | certmanager_certificate_ready_status{conditionFalse} 1 for: 15m labels: severity: warning annotations: summary: Certificate not ready description: Certificate {{ $labels.name }} is not ready最佳实践证书配置使用生产环境 Issuer配置自动续期设置合理的过期提醒安全加固使用强密钥算法定期轮换私钥限制证书用途监控告警监控证书状态配置过期告警定期检查配置备份恢复备份证书密钥测试恢复流程文档化操作常见问题与解决方案1. 证书签发失败问题证书无法自动签发。解决方案检查 Issuer 配置验证 DNS 解析查看 Challenge 状态2. 证书续期失败问题证书自动续期失败。解决方案检查续期配置验证权限查看证书状态3. HTTP01 验证失败问题HTTP01 验证无法通过。解决方案检查 Ingress 配置验证网络连通性查看 Challenge 日志4. DNS01 验证失败问题DNS01 验证无法通过。解决方案检查 DNS 提供商配置验证 API 权限查看 DNS 记录