k8s1.23 使用cert-manager自动签发阿里云DNS域名证书
k8s1.23 使用cert-manager自动签发阿里云DNS域名证书
·
环境信息:
k8s:1.23.1
helm:3.8.1
已备案域名:chandz.com
一、基础环境配置
0、镜像列表
quay.io/jetstack/cert-manager-cainjector:v1.7.2
quay.io/jetstack/cert-manager-controller:v1.7.2
quay.io/jetstack/cert-manager-webhook:v1.7.2
pragkent/alidns-webhook:0.1.1
1、安装cert-manager
yaml安装:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
helm 安装
helm repo add jetstack https://charts.jetstack.io
helm search repo cert-manager
kubectl create namespace cert-manager
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.7.2 --set installCRDs=true
2、获取阿里云ak/sk(权限为AliyunDNSFullAccess,也可以使用自定义权限,具体可参考阿里云官方文档)
3、创建一个有阿里dns修改权限ak/sk的secert
kubectl apply -f alidns-secret.yaml
#alidns-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: alidns-secret
namespace: cert-manager
stringData:
access-key: YOUR_ACCESS_KEY #阿里云dns权限ak
secret-key: YOUR_SECRET_KEY #阿里云dns权限sk
4、安装alidns的webhook
wget https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml
修改文件中的acme.yourcompany.com为自己的域名
sed -i s/'acme.yourcompany.com'/'acme.chandz.com'/g bundle.yaml
5、创建clusterIssuer
kubectl apply -f clusterissuer.yaml
kubectl get clusterissuers.cert-manager.io
#clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# Change to your letsencrypt email
email: duanshuaixing@gmail.com #申请者邮箱地址
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- dns01:
webhook:
groupName: acme.chandz.com #须和bundle.yaml文件中定义的groupname 一致
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key
6、创建certificate
#创建certificate
kubectl apply -f certificate.yaml
#查看 certificate
kubectl get certificate #刚创建certificate ready状态为false,会自动在dns解析创建txt记录去签发证书ready字段会变为true
#查看证书
kubectl get secrets chandz-com-tls -o json |jq --raw-output '.data["tls.crt"]'|base64 -d
#certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chandz-com-tls
spec:
secretName: chandz-com-tls
dnsNames: #dnsNames 指示该证书的可以用于哪些域名
- chandz.com
- "*.chandz.com"
issuerRef:
name: letsencrypt
kind: ClusterIssuer
二、使用证书
kubectl apply -f nginx.yaml
#nginx.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:latest
name: nginx
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
name: nginx-https
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
ingressClassName: nginx
rules:
- host: "tls-test.chandz.com"
http:
paths:
- pathType: ImplementationSpecific
path:
backend:
service:
name: nginx-https
port:
number: 80
tls:
- hosts:
- tls-test.chandz.com
secretName: chandz-com-tls
三、代码地址
https://github.com/duanshuaixing/tools/tree/master/cert-mamager
更多推荐
已为社区贡献28条内容
所有评论(0)