k8s安装自动证书签发cert-manager letsencrypt

1. 创建 namespace
   

   kubectl create namespace cert-manager

2. 安装 crds
   

   kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml

3. 标记命名空间 cert-manager 为 disable-validation
   

   kubectl lab el namespace cert-manager certmanager.k8s.io/disable-validation=true

4. 将 jetstack 加入到 helm repos
   

   helm repo add jetstack https://charts.jetstack.io

5. 更新 helm 仓库
   

   helm repo update

6. 使用helm chart 安装 cert-manager
   

   kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml

7. 创建 clusterissuer
   

   kubectl apply -f issuer.yaml

   # issuer.yaml
   apiVersion: v1
   kind: ClusterIssuer
   metadata:
     name: letsencrypt-prod #这里是issuer的名称，后面要使用
   spec:
     acme:
       # 邮箱，证书过期前会发邮件到这个邮箱
       email: admin@arfront.com
       server: https://acme-v02.api.letsencrypt.org/directory
       privateKeySecretRef:
         name: issuer-key
       solvers:
       - http01:
           ingress:
             class: nginx

8. 测试

   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod #需要使用这个标记，letsencrypt-prod是上面issuer的名称
     name: nginx
     namespace: default
   spec:
     rules:
     - host: dev.arfront.cn
       http:
         paths:
         - backend:
             serviceName: nginx
             servicePort: 80
           pathType: ImplementationSpecific
     tls:
     - hosts:
       - dev.arfront.cn 
       secretName: dev.arfront.cn #证书的域名