cert-manager是一个云原生证书管理开源工具,用于在Kubernetes集群中提供HTTPS证书并自动续期。以下示例介绍了如何使用cert-manager给nginx ingress申请免费证书并自动续期。
本次部署是基于eks集群,tke集群也可同样的方式进行操作。
1. 安装cert-manager
可以执行下面命令部署cert-manager到集群
代码语言:shell复制wget https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
sed -i 's/quay.io/jetstack/ccr.ccs.tencentyun.com/niewx-k8s/g' cert-manager.yaml
kubectl apply -f cert-manager.yaml2. 安装nginx ingress
集群内安装nginx ingress可以参考文档https://cloud.tencent.com/document/product/457/50503
nginx实例有创建成功后,会生成一个的clb,然后自行在域名解析将业务域名解析到这个clb的vip上。
3. 创建ClusterIssuer对象
然后我们执行下面命令创建下ClusterIssuer
代码语言:shell复制cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-weixnie-nginx-ingress-wushan
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: xxxx # 替换为您的邮箱名。
privateKeySecretRef:
name: letsencrypt-http01
solvers:
- http01:
ingress:
class: weixnie-nginx-ingress-wushan
EOF这里需要注意下,class这里需要和对应的nginx ingress class一样,比如我的nginx ingress class就是weixnie-nginx-ingress-wushan。
如果这里配置没有对应好,后续在ingress指定ClusterIssuer申请证书的时候,证书会创建不成功,cert-manager日志会一直报如下错。
代码语言:text复制I1216 08:36:12.216121 1 pod.go:59] "cert-manager/challenges/http01/selfCheck/http01/ensurePod: found one existing HTTP01 solver pod" resource_name="ingress-tls-1-3233249396-374266583" resource_namespace="weixnie" resource_kind="Challenge" resource_version="v1" dnsName="nginx.tke.niewx.cn" type="HTTP-01" related_resource_name="cm-acme-http-solver-fmqg6" related_resource_namespace="weixnie" related_resource_kind="" related_resource_version=""
I1216 08:36:12.216179 1 service.go:45] "cert-manager/challenges/http01/selfCheck/http01/ensureService: found one existing HTTP01 solver Service for challenge resource" resource_name="ingress-tls-1-3233249396-374266583" resource_namespace="weixnie" resource_kind="Challenge" resource_version="v1" dnsName="nginx.tke.niewx.cn" type="HTTP-01" related_resource_name="cm-acme-http-solver-s9gvr" related_resource_namespace="weixnie" related_resource_kind="" related_resource_version=""
I1216 08:36:12.216228 1 ingress.go:99] "cert-manager/challenges/http01/selfCheck/http01/ensureIngress: found one existing HTTP01 solver ingress" resource_name="ingress-tls-1-3233249396-374266583" resource_namespace="weixnie" resource_kind="Challenge" resource_version="v1" dnsName="nginx.tke.niewx.cn" type="HTTP-01" related_resource_name="cm-acme-http-solver-n5tfr" related_resource_namespace="weixnie" related_resource_kind="Ingress" related_resource_version="v1"
E1216 08:36:12.655730 1 sync.go:190] "cert-manager/challenges: propagation check failed" err="wrong status code '404', expected '200'" resource_name="ingress-tls-1-3233249396-374266583" resource_namespace="weixnie" resource_kind="Challenge" resource_version="v1" dnsName="nginx.tke.niewx.cn" type="HTTP-01"你的集群如果有多个nginx ingress实例,那就配置多个ClusterIssuer对象,注意class配置和nginx ingress实例对应好即可。
4. 配置ingress申请免费证书
这里我们提前部署了一个测试的nginx deploy和svc,通过下面命令创建下ingress
代码语言:shell复制cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-weixnie-nginx-ingress-wushan
kubernetes.io/ingress.class: weixnie-nginx-ingress-wushan
name: cert-demo-ingress
namespace: weixnie
spec:
rules:
- host: nginx.tke.niewx.cn
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- nginx.tke.niewx.cn
secretName: ingress-tls
EOF因为我的测试版本比较多,ingress的api版本是networking.k8s.io/v1beta1,如果是高版本的话,需要改下api版本为networking.k8s.io/v1。
这里需要在ingress加上下面这个注解,对应的ClusterIssuer名称就是上一步我们创建的。
代码语言:text复制cert-manager.io/cluster-issuer: letsencrypt-weixnie-nginx-ingress-wushan看证书是否创建成功,如果READY状态为True,则说明证书创建成功
代码语言:shell复制# k get cert -n weixnie
NAME READY SECRET AGE
ingress-tls True ingress-tls 24h5. 测试https访问服务
ingress创建正常,证书正常生成后,这里可以浏览器https访问下域名,看看证书是否有效
浏览器https访问域名证书有效,这里通过cert-manager申请给nginx ingress域名自动申请证书成功。
