- 创建 namespace
kubectl create namespace cert-manager
- 安装 crds
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
- 标记命名空间 cert-manager 为 disable-validation
kubectl lab el namespace cert-manager certmanager.k8s.io/disable-validation=true
- 将 jetstack 加入到 helm repos
helm repo add jetstack https://charts.jetstack.io
- 更新 helm 仓库
helm repo update
- 使用helm chart 安装 cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
- 创建 clusterissuer
kubectl apply -f issuer.yaml
# issuer.yaml apiVersion: v1 kind: ClusterIssuer metadata: name: letsencrypt-prod #这里是issuer的名称,后面要使用 spec: acme: # 邮箱,证书过期前会发邮件到这个邮箱 email: admin@arfront.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: issuer-key solvers: - http01: ingress: class: nginx
- 测试
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod #需要使用这个标记,letsencrypt-prod是上面issuer的名称 name: nginx namespace: default spec: rules: - host: dev.arfront.cn http: paths: - backend: serviceName: nginx servicePort: 80 pathType: ImplementationSpecific tls: - hosts: - dev.arfront.cn secretName: dev.arfront.cn #证书的域名