安装

helm repo add jetstack https://charts.jetstack.io --force-update
helm upgrade --install trust-manager jetstack/trust-manager \
--namespace cert-manager \
--set secretTargets.enabled=true \
--set secretTargets.authorizedSecretsAll=true \
--set app.trust.namespace=cert-manager

创建Bundle

cat > harbor-tls.yaml << EOF
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  # bundle名称被用为target secret名称
  name: harbor-tls
spec:
  sources:
  # 基于secret同步,secret必须存在于cert-manager命名空间(bundle是全局资源,不能通过设置namaespace来使用其他命名空间的secret)
  - secret:
      name: "devops-selfsigned-secret"
      key: "ca.crt"
  target:
    # 目标是secret,安装时必须开启secretTargets.enabled和secretTargets.authorizedSecretsAll
    secret:
      key: "ca.crt"
    # label存在的命名空间才创建secret,删除以下内容,即在所有命名空间创建secret
    namespaceSelector:
      matchLabels:
        devops: "yes"
EOF
kubectl apply -f harbor-tls.yaml

验证

[root@k8s-h3c-master01 harbor]# kubectl get bundles.trust.cert-manager.io
NAME         CONFIGMAP TARGET   SECRET TARGET   SYNCED   REASON   AGE
harbor-tls                      ca.crt          True     Synced   39s
[root@k8s-h3c-master01 harbor]# kubectl get namespaces --show-labels
NAME              STATUS   AGE     LABELS
cert-manager      Active   4d2h    kubernetes.io/metadata.name=cert-manager
default           Active   7d12h   kubernetes.io/metadata.name=default
devops            Active   4d7h    devops=yes,kubernetes.io/metadata.name=devops
[root@k8s-h3c-master01 harbor]# kubectl get secrets -n devops
NAME                                      TYPE                 DATA   AGE
harbor-tls                                Opaque               1      42s

查看ca.crt

kubectl get secrets -n cert-manager devops-selfsigned-secret  -o yaml
kubectl get secrets -n devops harbor-tls -o yaml

验证以上secret中的ca.crt内容是否一致

示例:(将cert-manager生成的harborTLS证书同步给全局)

安装trust-manager时指定trust命名空间到TLS证书所在命名空间

helm upgrade --install trust-manager jetstack/trust-manager \
--namespace cert-manager \
--set secretTargets.enabled=true \
--set secretTargets.authorizedSecretsAll=true \
--set app.trust.namespace=devops

创建bundle

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: harbor-tls
spec:
  sources:
  - secret:
      name: "harbor-selfsigned-secret"
      key: "ca.crt"
  target:
    configMap:
      key: "ca.crt"

验证

[root@k8s-master01 ~]# kubectl get bundles.trust.cert-manager.io
NAME         CONFIGMAP TARGET   SECRET TARGET   SYNCED   REASON   AGE
harbor-tls   ca.crt                             True     Synced   3m18s

# 所有命名空间下都有这个configMap
[root@k8s-master01 ~ ]# kubectl get cm
NAME               DATA   AGE
harbor-tls         1      2m16s

卸载

helm uninstall trust-manager -n cert-manager
kubectl delete crd bundles.trust.cert-manager.io