为受管理的工作负载配置生命周期管理

本文档介绍了如何使用 Certificate Manager(第 2 代)为 Compute Engine 和 Google Kubernetes Engine (GKE) 等受管工作负载配置证书生命周期管理。您可以使用证书颁发配置将托管式工作负载身份池与 Certificate Authority Service 池相关联,从而自动执行证书颁发和续订。这有助于防止因证书过期而导致服务中断。

准备工作

  1. 登录您的 Google Cloud 账号。如果您是 Google Cloud新手,请 创建一个账号来评估我们的产品在实际场景中的表现。新客户还可获享 $300 赠金,用于运行、测试和部署工作负载。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  7. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  8. Verify that billing is enabled for your Google Cloud project.

  9. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    10.

所需的角色

如需获得配置生命周期管理所需的权限,请让管理员向您授予项目的以下 IAM 角色:

如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限

您也可以通过自定义角色或其他预定义角色来获取所需的权限。

为受管工作负载配置生命周期

配置托管式工作负载身份池,以指定关联的工作负载如何从现有 CA Service 池接收和续订证书。

  1. 在 Google Cloud 控制台中,前往 Certificate Manager(第 2 代)页面。

    前往 Certificate Manager(第 2 代)

  2. 在导航窗格中,点击管理生命周期
  3. 选择托管式工作负载身份标签页。
  4. 找到要配置的工作负载身份池,然后点击配置生命周期管理
  5. 选择区域和该区域的 CA 池
  6. 证书有效期字段中,指定所签发证书的有效期。该值必须介于 21 天到 30 天之间。
  7. 轮换窗口设置为介于 50 到 80 之间的值。这是触发续订时证书生命周期的百分比。
  8. 密钥算法字段中,选择用于生成私钥的加密算法。
  9. 点击更新

后续步骤