自动签发https证书工具 cert manager

最近cert manager进行升级，不再支持0.11以下的版本了，所以进行升级。但是发现不能直接通过更改镜像版本来升级，在Apps里的版本也是旧版本，部署后发现不支持，于是自已动手，根据文档整理了一套部署cert manager的过程。

Steps
1. create namespace

kubectl create namespace cert-manager

2. install custome resource definition

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml

3. label cert-manager as disable-validation

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

4. add jetstack helm repos

helm repo add jetstack https://charts.jetstack.io

5. update local helm chart repository

helm repo update

6. install cert-manager with helm chart

helm install --name cert-manager --namespace cert-manager --version v0.11.0 jetstack/cert-manager

7. create a clusterissuer

kubectl apply -f issuer.yaml

# issuer.yaml
apiVersion: v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: admin@arfront.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: issuer-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

8. config annotation in your ingress

apiVersion: v1
kind: Ingress
metadata:
  name: my-nginx
  annotations: 
        # config the cluster issuer defined in issuer.yaml
	certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  rules:
  - host: test.nginx.com # dns for your ingress
    http:
      paths:
      - backend:
          serviceName: my-nginx
          servicePort: 443
        path: /
  tls: #enable tls 
  #secretName for this ingress,this will be stored in certificates
  - secretName: test-nginx-secret 
    hosts:
    - test.nginx.com  # dns for your ingress

Troubleshooting
1. serviceaccount Tiller not found

kubectl apply -f tiller.yaml

#tiller.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: cert-manager
---
apiVersion: v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: cert-manager