k8s安装自动证书签发cert-manager letsencrypt

2020-10-16 10:58:42 浏览数 (2)

  1. 创建 namespace kubectl create namespace cert-manager
  2. 安装 crds
代码语言:javascript复制
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
  1. 标记命名空间 cert-manager 为 disable-validation
代码语言:javascript复制
kubectl lab el namespace cert-manager certmanager.k8s.io/disable-validation=true
  1. 将 jetstack 加入到 helm repos
代码语言:javascript复制
helm repo add jetstack https://charts.jetstack.io
  1. 更新 helm 仓库
代码语言:javascript复制
helm repo update
  1. 使用helm chart 安装 cert-manager
代码语言:javascript复制
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
  1. 创建 clusterissuer # issuer.yaml apiVersion: v1 kind: ClusterIssuer metadata: name: letsencrypt-prod #这里是issuer的名称,后面要使用 spec: acme: # 邮箱,证书过期前会发邮件到这个邮箱 email: admin@arfront.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: issuer-key solvers: - http01: ingress: class: nginx
代码语言:javascript复制
kubectl apply -f issuer.yaml
  1. 测试
代码语言:javascript复制
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod #需要使用这个标记,letsencrypt-prod是上面issuer的名称
  name: nginx
  namespace: default
spec:
  rules:
  - host: dev.arfront.cn
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - dev.arfront.cn 
    secretName: dev.arfront.cn #证书的域名

0 人点赞