kubernetes cert-manager installation

参考地址 

https://cert-manager.io/docs/installation/kubernetes/

安装后测试

apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: test-selfsigned
  namespace: cert-manager-test
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: selfsigned-cert
  namespace: cert-manager-test
spec:
  dnsNames:
    - example.com
  secretName: selfsigned-cert-tls
  issuerRef:
    name: test-selfsigned

　　

查看 Issuer Certificate

kubectl get Issuer/Certificate -A

搭建一个ClusterIssuer 来测试

首先创建一个 Secret

kubectl create secret tls tls-secret -n cert-manager  --cert=/root/ssl/ca.pem --key=/root/ssl/ca-key.pem

　　

创建 clusterissuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-cluster-issuer
spec:
  ca:
    secretName: tls-secret

　　

写个ingress

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-cert-manager-ws-1
spec:
  selector:
    matchLabels:
      app: test-cert-manager-ws-1
  replicas: 1
  template:
    metadata:
      labels:
        app: test-cert-manager-ws-1
    spec:
      containers:
        - name: test-cert-manager-ws-1
          image: "xxxxxx.com/tensorflow-1.9.0:cuda9cudnn7-py3-workspace"
          command: ["jupyter"]
          args: ["lab","--port", "8888", "--ip", "*", "--allow-root", "--LabApp.base_url='/ws-1/'", "--NotebookApp.token='abcd'"]
          #args: ["lab","--port", "8888", "--ip", "0.0.0.0", "--allow-root"]
          ports:
            - name: http
              containerPort: 8888


---

kind: Service
apiVersion: v1
metadata:
  name: test-cert-manager-ws-svc-1
spec:
  selector:
    app: test-cert-manager-ws-1
  ports:
  - protocol: TCP
    port: 8888
    targetPort: http

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-cert-manager-ws-svc-1-ingress
  namespace: default
  annotations:
    cert-manager.io/cluster-issuer: ca-cluster-issuer
spec:
  tls:
  - secretName: cert-manager-ingress-test-certs
    hosts:
    - k8s.example.com
  rules:
  - http:
      paths:
      - path: /ws-1/
        backend:
          serviceName: test-cert-manager-ws-svc-1
          servicePort: 8888

　　

随后查看 kubectl get certificate -A

NAMESPACE   NAME                              READY   SECRET                            AGE
default     cert-manager-ingress-test-certs   True    cert-manager-ingress-test-certs   13h

　　

如果没有certificate 

1. 检查 annotations 里 

cert-manager.io/cluster-issuer: yourclusterissuer 是否正确

2. 在ingress里

 tls:
  - secretName: cert-manager-ingress-test-certs
    hosts:
    - k8s.example.com

 这个 hosts 必须要写