随着https的应用越来越多,很多场景我们都需要Https,在Kubernetes应用中,如果有应用都要用https的话,那也是很麻烦的,所以,我们用cert manager来自动签发https证书。
官方文档 https://cert-manager.io/docs/installation/kubernetes/#
这里,我们使用helm3来做演示。
cert manager :v1.2.0
1. 安装 CustomResourceDefinition
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml
2.创建cert-manager的namespace
kubectl create namespace cert-manager
3.添加helm仓库
helm repo add jetstack https://charts.jetstack.io
helm repo update
4.安装cert-manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.2.0 \
--create-namespace
5.检查cert-manager是否安装成功
kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-85f9bbcd97-rxnw6 1/1 Running 0 45s
cert-manager-cainjector-74459fcc56-kj9fh 1/1 Running 0 45s
cert-manager-webhook-57d97ccc67-b7k76 1/1 Running 0 45s
至此 cert-manager的服务就已经创建好了,下面我们需要创建签名发行。由于我们一般是用的nginx-ingress做为对外服务的暴露,所以,我们创建一个http01的acme。
6.创建配置文件 cluster-issuer-letsencrypt-dev.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dev
spec:
acme:
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
如果是生产环境 server地址要换成 https://acme-v02.api.letsencrypt.org/directory
7.执行
kubectl apply -f cluster-issuer-letsencrypt-dev.yaml
8.查看
kubectl get clusterissuer
NAME READY AGE
letsencrypt-dev True 17s
9.看下证书创建情况
kubectl get certificate -A
NAMESPACE NAME READY SECRET AGE
default ithere-portal-pc-dev-tls False ithere-portal-pc-dev-tls 35s
10.修改下原来helm里ingress的配置
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-dev
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
hosts:
- host: dev.xxx.info
paths:
- /
tls:
- secretName: ithere-portal-pc-dev-tls
hosts:
- dev.xxx.info
11.访问可以看到证书生成了