k8s1.23 使用cert-manager自动签发阿里云DNS域名证书
环境信息: k8s:1.23.1 helm:3.8.1 已备案域名:chandz.com
一、基础环境配置
0、镜像列表
quay.io/jetstack/cert-manager-cainjector:v1.7.2 quay.io/jetstack/cert-manager-controller:v1.7.2 quay.io/jetstack/cert-manager-webhook:v1.7.2 pragkent/alidns-webhook:0.1.1
1、安装cert-manager
yaml安装: kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml helm 安装 helm repo add jetstack https://charts.jetstack.io helm search repo cert-manager kubectl create namespace cert-manager helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.7.2 --set installCRDs=true
2、获取阿里云ak/sk(权限为AliyunDNSFullAccess,也可以使用自定义权限,具体可参考阿里云官方文档) 3、创建一个有阿里dns修改权限ak/sk的secert
kubectl apply -f alidns-secret.yaml
#alidns-secret.yaml apiVersion: v1 kind: Secret metadata: name: alidns-secret namespace: cert-manager stringData: access-key: YOUR_ACCESS_KEY #阿里云dns权限ak secret-key: YOUR_SECRET_KEY #阿里云dns权限sk
4、安装alidns的webhook
wget https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml 修改文件中的acme.yourcompany.com为自己的域名 sed -i s/acme.yourcompany.com/acme.chandz.com/g bundle.yaml
5、创建clusterIssuer
kubectl apply -f clusterissuer.yaml kubectl get clusterissuers.cert-manager.io
#clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# Change to your letsencrypt email
email: duanshuaixing@gmail.com #申请者邮箱地址
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- dns01:
webhook:
groupName: acme.chandz.com #须和bundle.yaml文件中定义的groupname 一致
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key
6、创建certificate
#创建certificate kubectl apply -f certificate.yaml #查看 certificate kubectl get certificate #刚创建certificate ready状态为false,会自动在dns解析创建txt记录去签发证书ready字段会变为true #查看证书 kubectl get secrets chandz-com-tls -o json |jq --raw-output .data["tls.crt"]|base64 -d
#certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chandz-com-tls
spec:
secretName: chandz-com-tls
dnsNames: #dnsNames 指示该证书的可以用于哪些域名
- chandz.com
- "*.chandz.com"
issuerRef:
name: letsencrypt
kind: ClusterIssuer
二、使用证书
kubectl apply -f nginx.yaml
#nginx.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:latest
name: nginx
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
name: nginx-https
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
ingressClassName: nginx
rules:
- host: "tls-test.chandz.com"
http:
paths:
- pathType: ImplementationSpecific
path:
backend:
service:
name: nginx-https
port:
number: 80
tls:
- hosts:
- tls-test.chandz.com
secretName: chandz-com-tls
三、代码地址
https://github.com/duanshuaixing/tools/tree/master/cert-mamager
上一篇:
IDEA上Java项目控制台中文乱码