Skip to content

Commit

Permalink
feat: support cert-manager (#685)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lingsamuel
lingsamuel authored Sep 24, 2021
1 parent 3e9bdbf commit 1b71fa3
Show file tree
Hide file tree
Showing 11 changed files with 876 additions and 37 deletions.
23 changes: 23 additions & 0 deletions docs/en/latest/practices/cert-manager/ca.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: ca-key-pair
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY5ekNDQTkrZ0F3SUJBZ0lVRkt1ekFKWmdtL2ZzRlM2SkRyZCtsY3BWWnI4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dad3hDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJREFoYWFHVnFhV0Z1WnpFUk1BOEdBMVVFQnd3SQpTR0Z1WjNwb2IzVXhHREFXQmdOVkJBb01EMEZRU1ZOSldDMVVaWE4wTFVOQlh6RVlNQllHQTFVRUN3d1BRVkJKClUwbFlYME5CWDFKUFQxUmZNUlV3RXdZRFZRUUREQXhCVUVsVFNWZ3VVazlQVkY4eEhEQWFCZ2txaGtpRzl3MEIKQ1FFV0RYUmxjM1JBZEdWemRDNWpiMjB3SGhjTk1qRXdOVEkzTVRNek5qSTRXaGNOTWpJd05USTNNVE16TmpJNApXakNCbkRFTE1Ba0dBMVVFQmhNQ1EwNHhFVEFQQmdOVkJBZ01DRnBvWldwcFlXNW5NUkV3RHdZRFZRUUhEQWhJCllXNW5lbWh2ZFRFWU1CWUdBMVVFQ2d3UFFWQkpVMGxZTFZSbGMzUXRRMEZmTVJnd0ZnWURWUVFMREE5QlVFbFQKU1ZoZlEwRmZVazlQVkY4eEZUQVRCZ05WQkFNTURFRlFTVk5KV0M1U1QwOVVYekVjTUJvR0NTcUdTSWIzRFFFSgpBUllOZEdWemRFQjBaWE4wTG1OdmJUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCCkFMSlIwbFFXL0lCcVFURS9PYTBQaTRMbG1sWVVTR25xdEZOcWlaeU9GMFBqVnpOZXFvRDlKRFBpTTFRUnlDOHAKTkNkNUwvUWh0VUlNTXgwUmxESTlEa0ozQUxJV2RyUElabHdwdmVESmY0S3RXN2N6K2VhNDZBNlFRd0I2eGN5Vgp4V25xRUJraWVhN3FyRUU4TmFrWk9NamdrcWtOMi85a2xnNlh5QTVGV2Z2c3p4dHVJSHRqY3kyS3E4Yk1DMGpkCms3Q3FFWmU0Y3Q2czJ3bGNJOHQ4czlwcnZNRG04Z2NYNjZ4NEFoK0MyL1crQzNsVHBNRGdHcVJxU1B5Q1c3bmEKV2duMHRXbVRTZjFpeWJ3WU15ZGhDK3pwTTFRSkx2ZkR5cWpwMXdKaHppUjV0dFZlMlhjK3REQzI0cyt1MTZ5WgpSOTNJTzBNNGxMTmp2RUtKY01sdFh5UnpyY2p2TFhPaHczS2lyU0hOTDFLZnJCRWw3NGxiK0RWNWVVNHBJRkNqCmN1MThnbXM1RkJZczl0cEx1andwSERjMk1VK3pDdlJtU1B2VUE0eUN5b1hxb20zdWlTbzNnM3ltVzlJTThkQzgKK0JkMUdkTTZKYnBCdWt2UXliYzVUUVhvMU03NUk5aUVvUWE1dFF4QWZRL2Rmd01qT0s3c2tvZ293Qm91T3VMdgpCRUZLeTNWZDU3SVdXWlhDNHAvNzRNNk40ZkdZVGdIWTVGUUUzUjRZMnBoay9lYUVtMWpTMVVQdUM5OFF1VGZMCnJHdUZPSUJtSzVldU9tOHVUNW05aG5yb3VHMlpjeEVkekhZZmpzR0RHckx6QTBGTHUrd3RNTkJLTTROaHNOQ2EKZCtmeWNMZzdqZ3hXaGFMdkQ1RGZrVjdXRlFsejVMVWNlWUl3WU95aEQvY2hBZ01CQUFHakx6QXRNQXdHQTFVZApFd1FGTUFNQkFmOHdIUVlEVlIwUkJCWXdGSUlTYlhSc2N5NW9kSFJ3WW1sdUxteHZZMkZzTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQ0FRQ050Qm1vQWM1dHYzSDM4c2o5cWhUbWFidnA5Ukl6WllyUVNFY04rQTJpM2E4RlZZQU0KWWF1Z1pEWERjVHljb1duNnJjZ2JsVURuZW93M05pcVo1N3lZWm1OK2U0bUUzK1Exc0dlcFY3TG9Sa0hEVVQ4dwpqQUpuZGNaL3h4Sm1nSDZCN2RJbVRBUHN2TEdSN0U3Z2ZmTUgrYUtDZG5rRzl4NVZtK2N1QndTRUJuZGlIR2ZyCnl3NWNYTzZjTVVxOE02ekpyazJWKzFCQXVjWFcycmdMVFd5NlVUVEdENTZjZ1V0YlN0Uk82bXVPS29FbERMYlcKbVNqMnJOdi9ldmFrUWtWOGRnS1ZSRmdoMk5RS1lLcFhtdmVNYUU2eHRGRmYvZGQ5T2hERmpVaC9rc3huOTRGVAp4ai93a2hYQ0VQbCt0N3RFTmhyMnROeUxiQ09WY0Z6cW9pN0l5b1dLeHhaUWZ2QXJmajRTbWFoSzhFL0JYQi9UCjRQRW1uOGtaQXhhVzdSbUdjYWVrbThNVHFHbGhDSjN0VkpBSTJ2Y1lSZGQ5WkhiWEUxanIvNHhqMEkvTHpnbG8KTzh2NWZkNHpIeVYxU3VaNUFIM1hiVWQ3bmRsOXlEb04yV1NxSzlOZDlid3MzeXJmK0d3akpBVDFJbm5EdkxnMQpzdFdNOEkrOUZaaURGTDI1NS8raUFOMGpZY0d1OWk0VE52QytvNnFRMXA4NWkxT0hQSlp1Nnd0VVdNZ0RKTjQ2CnV3VzNaTGg5c1pWNk9uaGJRSkJRYVVtY2dhUEpVUXFiWE5RbXBtcGMwTlVqRVQvbHRGUloyaGx5dnZwZjd3d0YKMkRMWTFIUkFrblE2OUR1VDZ4cFl6MWFLWnFybGtiQ1dsTU12ZG9zT2c2ZjcrNE54ZFlKL3JCZVM2UT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ3lVZEpVRnZ5QWFrRXgKUHptdEQ0dUM1WnBXRkVocDZyUlRhb21jamhkRDQxY3pYcXFBL1NRejRqTlVFY2d2S1RRbmVTLzBJYlZDRERNZApFWlF5UFE1Q2R3Q3lGbmF6eUdaY0tiM2d5WCtDclZ1M00vbm11T2dPa0VNQWVzWE1sY1ZwNmhBWklubXU2cXhCClBEV3BHVGpJNEpLcERkdi9aSllPbDhnT1JWbjc3TThiYmlCN1kzTXRpcXZHekF0STNaT3dxaEdYdUhMZXJOc0oKWENQTGZMUGFhN3pBNXZJSEYrdXNlQUlmZ3R2MXZndDVVNlRBNEJxa2FrajhnbHU1MmxvSjlMVnBrMG45WXNtOApHRE1uWVF2czZUTlVDUzczdzhxbzZkY0NZYzRrZWJiVlh0bDNQclF3dHVMUHJ0ZXNtVWZkeUR0RE9KU3pZN3hDCmlYREpiVjhrYzYzSTd5MXpvY055b3EwaHpTOVNuNndSSmUrSlcvZzFlWGxPS1NCUW8zTHRmSUpyT1JRV0xQYmEKUzdvOEtSdzNOakZQc3dyMFprajcxQU9NZ3NxRjZxSnQ3b2txTjROOHBsdlNEUEhRdlBnWGRSblRPaVc2UWJwTAowTW0zT1UwRjZOVE8rU1BZaEtFR3ViVU1RSDBQM1g4REl6aXU3SktJS01BYUxqcmk3d1JCU3N0MVhlZXlGbG1WCnd1S2YrK0RPamVIeG1FNEIyT1JVQk4wZUdOcVlaUDNtaEp0WTB0VkQ3Z3ZmRUxrM3k2eHJoVGlBWml1WHJqcHYKTGsrWnZZWjY2TGh0bVhNUkhjeDJINDdCZ3hxeTh3TkJTN3ZzTFREUVNqT0RZYkRRbW5mbjhuQzRPNDRNVm9XaQo3dytRMzVGZTFoVUpjK1MxSEhtQ01HRHNvUS8zSVFJREFRQUJBb0lDQVFDVUNwdnNsaHpSVytWOXhqalM5YW5rClpVeEpsSk05NDg0THh0SXllRURXYXNKMWNtMXBvei9RRjBaMzBEOTY3K0ZOdUMzWXA3ZDgrdlhnZHp5cXJNZk8KNUU5ZWlvbkgzbU1rdHI3ZUJVdG9LUmFRdFlVT1NJclh0R3I3MWZHclZOaE5nellVTit3QURQSXZRcFptS2Z0Ygp3aDNnWGhJOEtMenZwcEUvVDlKUjladEg4WmpqOTMraTJwS2IrOENPb081QmFDQXM3c1BuSEdqSWo0ZGtJOGFKCldwS2RMOTdWaHNWeExUek4vbTB3eXJOcDZjaEpISVRoNVI5dEM2aXRWcHNUMHVaZG5SdDdVdTJhekJpRDQrenIKcGZ1b0UrdTdaUUEyVmRUY05HalpIWGR1RTAzRjB2Znp6WkhsekFsZ1VPMDZNa2NKR3N0UlYwYnZrbjFoclB5agp1YVlEUmVVamJKYnRYb3pHZmxVdFRheVYxVUF6SHViVGM5MENWV05UYkcvRzNYa1hrWEZGL0NVLzlpMHQvMW85CmJGMVJTT2NsMFAvQXdmSEJXTDV4UXlMK2RFTFluQXhoUW40TkNTdDdIYnlUc1R1NnBkdkZsQ0NuZGNkM0E1bUgKMHlLcGFXVTlkcFlDNEtta3kwMFM4ZUdmRVp4MllTOXF5SUgxZTYxdzhWNTlwQk5BR1JGU1RZUTBlV1lEaVY5eApoT1hZU1lqQ1FXWVo3czRRNHJ2ZjhDRXhPdnZORjA3SmdaTVB5dC9wVjhJblgxS29PSnBtL0laZnVQU05wbzJSCmU2V0krSjEwVnloTExMMXFBL2QrWkpmTG5uT0dRcGRnTTBUOU5FUHQycGNQcFRDQzFGWHFQNXJ6M2dBcWlBVk0KSHprajVXWUJMUHZGTlFsak1JRnl3UUtDQVFFQTZGOWpsQ2tkSU9qSGs4aW5yaVhNYXZ2N2Q0Q0ZVc1VYeVcvQwpVZWRBY25PUnVZREJrdmorTjI3NEdGeVAwU3F5V3dXRGJqSzVOZms2RmtkeThLNWZsckxjVVZSMGRGa2swd3Z3CjNnZVBpVWxpUDFwUElnd1FWdktST244TkgvbUYzRC9VZFhSSGh5T1E2cmQxR3poZGh2UmNjZmFwTDEya3YyMnYKRDcwSlhLakpxNFdZczNtM2NSU3cxT25sYmRrRWUzTTlLMWV5TFhlQnpsQnQwU3RaamNBSm1IV0xjbHJuMFdIRgpMcUtkWUNJZ3RHZUh3alE3WlBicnFRb1hGRnJ6bDgzQWV1V1cxVmRQQTNOTFc5Y1p5SnNIY1N5dDR4cDBjZUlSCitjTDl0TE9oWnpWNzFZN3ZybWh2WElSV2lROUowUGNDbXR5Mkx5U1NsSDY0SWV0cWFRS0NBUUVBeEhOeHZDOVEKRlFmRmdnM09kSHZDM0NsdFM3K25vSkZjdTVoMmZlWHFZS241TjRUcFQ2UVJDbWJLeHRHSkcvVDZjRVNEOXUwVQpzaEQwUjdSdkZEWTNTWHdORDRuYjM4dkhSOUYvZitNdzVKbTdBTGxzWnJPbFIwSUducGkxZjhTUkNVRE9iOHlKClRyMkRaelAwcTFBTFQ5QzZySVJ4eFJwTGsvdjlqR0V4WVJhT2FBUkVianc0aXIrdTh5VVpJVm9lcUtRanlNU1cKc25lSnJmMFhIR3JrS2Z3b3dpeGNYb0hSZXFWdnhtN2VzN3paRk9pT0xVZ2lpNlYycENQeUwzWks0Zm1YM1oyUgp2OHl5OXRJOTZvclR3Z1lGSXZodFlkckNuRi9NL1ZmNW9LUEVVd0V4bFFWQ1BrcG1zc1RhZm52R3p5NXpvdnZ5CnN0VmV5OC9NTWNUZitRS0NBUUJLR1BERjgvNUgyaktaMjJnc3pmekxPS0xOVG53MUVvZ3RRYWZ6T2d5QThuMUwKYTlWT0tudlY3VnJMV2VpNlNDVXJoU3lOM1RyV0RTMEtvYW56T1lkZHBKZEFqKys2a2hwOStkYksxaHBkS3J0YgpmRTZ6aXFsRE1JSkM1dlNtZDRqSjNNakEwMTFqcUdHemx1Q08xNEJyWWt5QVFxbGNZejMvbE5nMzZvMnJzRjd1CmhPRldpYitISFpQdHNNL3FJVU9lb2ZhbGRZZHBuQ3dXUCt0a3diQUMxWE81Mi9HbGUzdGtkd3JMZmlzMDFtMGIKV2RBZWkwMU5PcmVXNVpMS2VONG9VQUhLcnA5VVZFenJ5cjREQVNwRm43blZ5dXQvK1pXY0l2eWNhaU5BbGU4bgozQlFxMnpOdXAvcXF3OEJjWURXbm5yeUQ2VkZtNHdDaXZXMjEwejNSQW9JQkFRQ0VYRFA1VXZkbDlBS0RDY0pjCmdUWmRHQnhudVEyOEJiU3hRSncxWHo5M09ZNk1kYVNzNENJTEhBN3J2aW5mQ0VQa2VJVmhUWU53SmpRd1M4VzcKbkh2THF5VXhudlRoNkc2d1dOckswOHdSZWZLaEhrMkhOT3JiQkFWcHZnSXJ2OGpvcngxbi9pdFZQaUxXMmc2egpqZzdSREJWNlB4Sllkc3NOUGU4ck1pRVBCUitWdmFwTmk0MmREbUZWdVYwaE41TUlsTzczU2wwdWlaUGVBblFiCjFYazlRSVJGcjVYY3B5TDR1NVovNEJ0MGhuek10Wk4xdHZCdm5tQTlYMnJCeDdYVVkxS0xJcXNjeTFLWk1qWTkKWEtRb1NkNFVIY1cwOUt2Q3FGbDVLRmtzZnFxOE1rV3gzZ1V2NnZrZTRidEZGU2h5VngzYVpsNnpWMGV6a3FKRgp0aHdoQW9JQkFBVDUyOFdGVE9BOTdyQUFIeFJqOGprQUI2NEV4ZlRkY2w1eHpsQW5uQ09pQ3lGNWtlOTFwYjRECklZMkcvVk1mN2ZNakNCNy93RTNxa3RkTE5pQW9GdTlkZW1ydmdrTVI4VU5RTitwSzAyWWU2VUxsMTJwUTcxczcKQktTYjRpOVVUY0phVmFWT2hZbkNnTTcwQnBkQ2FKWFVQMGhqUC9BRVRESVJQZnFZRWhtend4dWt5c0VCTkpscApjWXlCOWRRSjhCV3M4R282T1d2Q2dic0Fwa0FTOTdOY1czZzRwL3c3dDlDSXVCblFuS2hUMUpVUmswS0pNeDAxCkU0cysxTndQN0I5R2Ivdlpja01FejBDM282WDJwbnk2eVkwcUtHK3lZOUh2NVV1M3M4UE1ZeFJKckU2ZUJuMGoKNDQ1ME9EOEg2d1MxSldPaGFZSEY1OGJoVW5zY0Zkbz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
22 changes: 22 additions & 0 deletions docs/en/latest/practices/cert-manager/issuer.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: ca-issuer
spec:
ca:
secretName: ca-key-pair
241 changes: 241 additions & 0 deletions docs/en/latest/practices/manage-certificates-with-cert-manager.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,241 @@
---
title: Manage Certificates With Cert Manager
---

<!--
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
-->

This tutorial will detail how to manage secrets of ApisixTls using cert-manager.

## Prerequisites

* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
* Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart).
* Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md).
* Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).

In this guide, we assume that your APISIX is installed with `ssl` enabled, which is not enabled by default in the Helm Chart. To enable it, you need to set `gateway.tls.enabled=true` during installation.

For example, you could install APISIX and APISIX ingress controller by running:

```bash
helm install apisix apisix/apisix --set gateway.type=NodePort --set ingress-controller.enabled=true --set gateway.tls.enabled=true
```

Assume that the SSL port is `9443`.

## Create Issuer

For testing purposes, we will use a simple CA issuer. All required files can be found [here](./cert-manager).

To create a CA issuer, use the following commands:

```bash
kubectl apply -f ./cert-manager/ca.yaml
kubectl apply -f ./cert-manager/issuer.yaml
```

If the cert-manager is working correctly, we should be able to see the Ready status by running:

```bash
kubectl get issuer
```

It should output:

```text
NAME READY AGE
ca-issuer True 50s
```

## Create Certificate

Before creating ApisixTls, we should create a `Certificate` resource.

```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-cert
spec:
dnsNames:
- local.httpbin.org
issuerRef:
kind: Issuer
name: ca-issuer
secretName: example-cert
usages:
- digital signature
- key encipherment
renewBefore: 0h55m0s
duration: 1h0m0s
```
Note that we set the parameters `duration` and `renewBefore`. We want to test if the certificate rotation functionality is working well, so a shorter renewal time will help.

Like `Issuer`, we could see its readiness status by running:

```bash
kubectl get certificate
```

It should output:

```text
NAME READY SECRET AGE
demo-cert True example-cert 50s
```

Check the secrets by running:

```bash
kubectl get secret
```

It should output:

```text
NAME TYPE DATA AGE
example-cert kubernetes.io/tls 3 2m20s
```

This means that our cert-manager is working properly.

## Create Test Service

We use [kennethreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin/) as the service image.

Deploy it by running:

```bash
kubectl run httpbin --image kennethreitz/httpbin --expose --port 80
```

## Route the Service

Create an ApisixRoute to route the service:

```yaml
apiVersion: apisix.apache.org/v2beta1
kind: ApisixRoute
metadata:
name: httpserver-route
spec:
http:
- name: httpbin
match:
hosts:
- local.httpbin.org
paths:
- "/*"
backend:
serviceName: httpbin
servicePort: 80
```

Run curl command in a APISIX pod to see if the routing configuration works.

```bash
kubectl -n <APISIX_NAMESPACE> exec -it <APISIX_POD_NAME> -- curl http://127.0.0.1:9080/ip -H 'Host: local.httpbin.org'
```

It should output:

```json
{
"origin": "127.0.0.1"
}
```

## Secure the Route

Create an ApisixTls to secure the route, referring to the secret created by cert-manager:

```yaml
apiVersion: apisix.apache.org/v1
kind: ApisixTls
metadata:
name: example-tls
spec:
hosts:
- local.httpbin.org
secret:
name: example-cert # the secret created by cert-manager
namespace: default # secret namespace
```

Run curl command in a APISIX pod to see if the Ingress and TLS configuration are working.

```bash
kubectl -n <APISIX_NAMESPACE> exec -it <APISIX_POD_NAME> -- curl --resolve 'local.httpbin.org:9443:127.0.0.1' "https://local.httpbin.org:9443/ip" -k
```

It should output:

```json
{
"origin": "127.0.0.1"
}
```

## Test Certificate Rotation

To verify certificate rotation, we can add a verbose parameter `-v` to curl command:

```bash
kubectl -n <APISIX_NAMESPACE> exec -it <APISIX_POD_NAME> -- curl --resolve 'local.httpbin.org:9443:127.0.0.1' "https://local.httpbin.org:9443/ip" -k -v
```

The verbose option will show us the handshake log, which also contains the certificate information.

Example output:

```text
* Added local.httpbin.org:9443:127.0.0.1 to DNS cache
* Hostname local.httpbin.org was found in DNS cache
* Trying 127.0.0.1:9443...
* Connected to local.httpbin.org (127.0.0.1) port 9443 (#0)
...
...
* Server certificate:
* subject: [NONE]
* start date: Sep 16 00:14:55 2021 GMT
* expire date: Sep 16 01:14:55 2021 GMT
* issuer: C=CN; ST=Zhejiang; L=Hangzhou; O=APISIX-Test-CA_; OU=APISIX_CA_ROOT_; CN=APISIX.ROOT_; emailAddress=test@test.com
```

We could see the start date and expiration date of the server certificate.

Since the `Certificate` we defined requires the cert-manager to renew the cert every 5 minutes, we should be able to see the changes to the server certificate after 5 minutes.

```text
* Added local.httpbin.org:9443:127.0.0.1 to DNS cache
* Hostname local.httpbin.org was found in DNS cache
* Trying 127.0.0.1:9443...
* Connected to local.httpbin.org (127.0.0.1) port 9443 (#0)
...
...
* Server certificate:
* subject: [NONE]
* start date: Sep 16 00:19:55 2021 GMT
* expire date: Sep 16 01:19:55 2021 GMT
* issuer: C=CN; ST=Zhejiang; L=Hangzhou; O=APISIX-Test-CA_; OU=APISIX_CA_ROOT_; CN=APISIX.ROOT_; emailAddress=test@test.com
```

The certificate was rotated as expected.
Loading

0 comments on commit 1b71fa3

Please sign in to comment.