Jho*_*n D 5 certificate go google-cloud-platform kubernetes kubebuilder
我们有一个 kubebuilder 控制器,它按预期工作,现在我们需要创建一个 webhooks ,
我按照教程 https://book.kubebuilder.io/reference/markers/webhook.html进行 操作,现在我想在本地运行和调试它,但是不确定如何处理证书,是否有一种简单的方法来创建它,任何例子都会非常有帮助。
顺便说一句,我已经安装了cert-manager并应用了以下示例 yaml,但不知道下一步该做什么...
我需要最简单的解决方案,我能够在本地webhook运行和调试s ,就像我已经使用控制器所做的那样(在使用 webhooks 之前),
https://book.kubebuilder.io/cronjob-tutorial/running.html
证书管理器
我在集群中创建了以下内容
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: test
spec:
# Secret names are always required.
secretName: example-com-tls
# secretTemplate is optional. If set, these annotations and labels will be
# copied to the Secret named example-com-tls. These labels and annotations will
# be re-reconciled if the Certificate's secretTemplate changes. secretTemplate
# is also enforced, so relevant label and annotation changes on the Secret by a
# third party will be overwriten by cert-manager to match the secretTemplate.
secretTemplate:
annotations:
my-secret-annotation-1: "foo"
my-secret-annotation-2: "bar"
labels:
my-secret-label: foo
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- jetstack
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: example.com
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
# At least one of a DNS Name, URI, or IP address is required.
dnsNames:
- example.com
- www.example.com
uris:
- spiffe://cluster.local/ns/sandbox/sa/example
ipAddresses:
- 192.168.0.5
# Issuer references are always required.
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
# This is optional since cert-manager will default to this value however
# if you are using an external issuer, change this to that issuer group.
group: cert-manager.io
仍然不确定如何将其与 kubebuilder 同步以在本地工作
当我在调试模式下运行运算符时,出现以下错误:
setup problem running manager {"error": "open /var/folders/vh/_418c55133sgjrwr7n0d7bl40000gn/T/k8s-webhook-server/serving-certs/tls.crt: no such file or directory"}
我需要的是在本地运行 webhook 的最简单方法
小智 0
让我从头开始引导您完成整个过程。
像 cronJob 教程中所说的那样创建 webhook - kubebuilder create webhook --group batch --version v1 --kind CronJob --defaulting --programmatic-validation。这将创建用于实现默认逻辑和验证逻辑的 Webhook。
按照指示实现逻辑 -实现默认/验证 Webhooks
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.yamlconfig/default/kustomization.yaml通过取消注释中包含 [WEBHOOK] 或 [CERTMANAGER] 的所有内容来编辑文件。对文件也执行相同的操作config/crd/kustomization.yaml。make docker-build IMG=<some-registry>/<project-name>:tag。现在您不需要将docker-push映像存储到远程存储库。如果您使用kind集群,您可以直接将本地镜像加载到指定的kind集群:
kind load docker-image <your-image-name>:tag --name <your-kind-cluster-name>make deploy IMG=<some-registry>/<project-name>:tag。您还可以使用make run命令在本地运行集群。但是,如果您启用了网络书,那就有点棘手了。我建议您以这种方式使用 KIND 集群来运行集群。在这里,您无需担心注入证书。cert-manager 会为你做这件事。您可以查看该/config/certmanager文件夹以了解其工作原理。
| 归档时间: |
|
| 查看次数: |
710 次 |
| 最近记录: |