環(huán)境信息：
k8s：1.23.1
helm：3.8.1
已備案域名：chandz.com

一、基礎(chǔ)環(huán)境配置

0、鏡像列表

quay.io/jetstack/cert-manager-cainjector:v1.7.2 quay.io/jetstack/cert-manager-controller:v1.7.2 quay.io/jetstack/cert-manager-webhook:v1.7.2 pragkent/alidns-webhook:0.1.1

1、安裝cert-manager

yaml安裝: kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yamlhelm 安裝 helm repo add jetstack https://charts.jetstack.io helm search repo cert-manager kubectl create namespace cert-managerhelm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.7.2 --set installCRDs=true

2、獲取阿里云ak/sk(權(quán)限為AliyunDNSFullAccess，也可以使用自定義權(quán)限，具體可參考阿里云官方文檔)


3、創(chuàng)建一個(gè)有阿里dns修改權(quán)限ak/sk的secert

kubectl apply -f alidns-secret.yaml #alidns-secret.yaml apiVersion: v1 kind: Secret metadata:name: alidns-secretnamespace: cert-manager stringData:access-key: YOUR_ACCESS_KEY #阿里云dns權(quán)限aksecret-key: YOUR_SECRET_KEY #阿里云dns權(quán)限sk

4、安裝alidns的webhook

wget https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml修改文件中的acme.yourcompany.com為自己的域名 sed -i s/'acme.yourcompany.com'/'acme.chandz.com'/g bundle.yaml

5、創(chuàng)建clusterIssuer

kubectl apply -f clusterissuer.yaml kubectl get clusterissuers.cert-manager.io #clusterissuer.yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata:name: letsencrypt spec:acme:# Change to your letsencrypt emailemail: duanshuaixing@gmail.com #申請(qǐng)者郵箱地址server: https://acme-v02.api.letsencrypt.org/directoryprivateKeySecretRef:name: letsencrypt-account-keysolvers:- dns01:webhook:groupName: acme.chandz.com #須和bundle.yaml文件中定義的groupname 一致solverName: alidnsconfig:region: ""accessKeySecretRef:name: alidns-secretkey: access-keysecretKeySecretRef:name: alidns-secretkey: secret-key

6、創(chuàng)建certificate

#創(chuàng)建certificate kubectl apply -f certificate.yaml#查看 certificate kubectl get certificate #剛創(chuàng)建certificate ready狀態(tài)為false,會(huì)自動(dòng)在dns解析創(chuàng)建txt記錄去簽發(fā)證書(shū)ready字段會(huì)變?yōu)閠rue#查看證書(shū) kubectl get secrets chandz-com-tls -o json |jq --raw-output '.data["tls.crt"]'|base64 -d #certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata:name: chandz-com-tls spec:secretName: chandz-com-tlsdnsNames: #dnsNames 指示該證書(shū)的可以用于哪些域名- chandz.com- "*.chandz.com"issuerRef:name: letsencryptkind: ClusterIssuer

二、使用證書(shū)

kubectl apply -f nginx.yaml #nginx.yaml --- apiVersion: apps/v1 kind: Deployment metadata:labels:app: nginxname: nginx spec:replicas: 1selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:containers:- image: nginx:latestname: nginximagePullPolicy: IfNotPresent --- apiVersion: v1 kind: Service metadata:name: nginx-httpsnamespace: default spec:ports:- port: 80protocol: TCPtargetPort: 80selector:app: nginx --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata:name: tls-ingress spec:ingressClassName: nginxrules:- host: "tls-test.chandz.com"http:paths:- pathType: ImplementationSpecificpath:backend:service:name: nginx-httpsport:number: 80tls:- hosts:- tls-test.chandz.comsecretName: chandz-com-tls

三、代碼地址

https://github.com/duanshuaixing/tools/tree/master/cert-mamager

總結(jié)

以上是生活随笔為你收集整理的k8s1.23 使用cert-manager自动签发阿里云DNS域名证书的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。