cert-manager安装
helm repo add jetstack https://charts.jetstack.io
helm repo update
wget https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml
kubectl apply -f cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.12.9 \
--set installCRDs=false \
--set prometheus.enabled=false
签发单域名证书
安装ClusterIssuer
# cat letsencrypt-prod-istio-ClusterIssuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod-istio
spec:
acme:
email: ccreate-tech@outlook.com
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-prod-istio-issuer-account-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: istio #配置外部网关为istio
# ingressTemplate:
# metadata:
# kubernetes.io/ingress.class: istio
# podTemplate:
# metadata:
# sidecar.istio.io/inject: "true"创建 ClusterIssuer
# cat acme-all-abc-com-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: acme-all-yunchuangbangong-com
namespace: istio-system
spec:
dnsNames:
- api.abc.com
- app.abc.com
- adm.abc.com
- h5.abc.com
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod-istio
secretName: acme-all-abc-com签发阿里云泛域名证书
安装alidns-webhook
alidns webhook github地址: https://github.com/pragkent/alidns-webhook
mkdir alidns-webhook && cd alidns-webhook
wget https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml
#建议修改文件中的acme.yourcompany.com
sed -i s/'acme.yourcompany.com'/'acme.kaixinok.com'/g bundle.yaml
# 启动alidns-webhook
kubectl apply -f bundle.yaml
# 创建一个包含阿里dns凭据的secert
kubectl -n cert-manager create secret generic alidns-secret --from-literal=access-key='YOUR_ACCESS_KEY' --from-literal=secret-key='YOUR_SECRET_KEY'创建 ClusterIssuer
# cat letsencrypt-clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-clusterissuer
spec:
acme:
# Change to your letsencrypt email
email: cc98760@qq.com
server: https://acme-v02.api.letsencrypt.org/directory
#server: https://acme-staging-v02.api.letsencrypt.org/directory # test api
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.yibudw.com #必需和bundle.yaml文件中定义的groupname 一致
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key创建证书
# cat yibudw.com-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-yibudw.com
namespace: istio-system
spec:
secretName: tls-yibudw.com
dnsNames:
- kaixinok.com
- "*.kaixinok.com"
issuerRef:
name: letsencrypt-clusterissuer
kind: ClusterIssuer查看创建结果
# kubectl get Issuer,ClusterIssuer,certificate,CertificateRequest,orders,challenges -A创建自签证书
创建自签名issuer
cat <<EOF>> selfSigned-issuer.yaml
apiVersion: v1
kind: Namespace
metadata:
name: sandbox
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: sandbox
spec:
selfSigned: {} # 指定这是自签名
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {} #指定这是自签名
EOF创建自签名ca证书
selfsigned-issuer 自签:
cat <<EOF>> selfSigned-ca.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: self-signed-ca
namespace: sandbox
labels:
app: self-signed-ca
spec:
secretName: self-signed-ca
duration: 43800h # 5y
issuerRef:
kind: Issuer
name: selfsigned-issuer
commonName: "ca.example.com"
isCA: true
EOFselfsigned-cluster-issuer 自签:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: self-signed-cluster-ca
namespace: cert-manager
labels:
app: self-signed-ca
spec:
secretName: self-signed-cluster-ca
duration: 43800h # 5y
issuerRef:
kind: ClusterIssuer
name: selfsigned-cluster-issuer
commonName: "ca.video.com"
isCA: true创建证书issuer
cat <<EOF> issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: example-com-ca
namespace: sandbox
labels:
app: example-com-ca
spec:
ca:
secretName: self-signed-ca
EOF获取证书和key
kubectl -n sandbox get secrets www-example-com-tls -ojsonpath='{.data.tls\.key}' | base64 -d > tls.key
kubectl -n sandbox get secrets www-example-com-tls -ojsonpath='{.data.tls\.crt}' | base64 -d > tls.crt签发证书
cat <<EOF> www_example_com.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: www-example-com-tls
namespace: sandbox
labels:
app: www-example-com
spec:
secretName: www-example-com-tls
duration: 8760h # 1y
issuerRef:
name: example-com-ca
commonName: "www.example.com"
dnsNames:
- www
- www.example.com
- www1.example.com
- www2.example.com
- www.internal.example.com
EOFcat <<EOF > video.api.com.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: video-api-com-tls
namespace: default
labels:
app: video-api-com
spec:
secretName: video-api-com-tls
duration: 8760h # 1y
issuerRef:
kind: ClusterIssuer
name: selfsigned-cluster-issuer
commonName: "ca.video.com"
dnsNames:
- video.api.com
- www.api.com
- test.api.com
- ops.api.com
EOF
评论区