cert-manager 是一个在 Kubernetes 集群中自动管理 TLS 证书的工具,支持多种证书供应商,可以自动签发、配置、管理证书,并且可在证书到期前自动续签证书。
wget https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
kubectl appy -f cert-manager.yaml
kubectl get pods --namespace cert-manager
根据 Kubernetes 所使用 Ingress 类型的不同,cert-manager 的使用方式有所差异,此处示例使用 Traefik。
1. 创建证书签发器
vim cluster-issuer.yaml
# 创建 Let's Encrypt 签发器
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: hty1024-app
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
说明:
2. 创建 Ingress
vim traefik-ingress.yaml
# 创建 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hty1024-app-ingress
namespace: hty1024-app
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- secretName: hty1024.com
hosts:
- hty1024.com
- secretName: wiki.hty1024.com
hosts:
- wiki.hty1024.com
rules:
- host: hty1024.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hty1024-app-halo-service
port:
number: 8090
- host: wiki.hty1024.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hty1024-app-wikijs-service
port:
number: 8090
3. 检测证书状态
kubectl get secret <Secret名称> -n <Namespace名称>
kubectl get certificates -n <Namespace名称>
kubectl get certificaterequests -n <Namespace名称>
kubectl describe certificate <证书名称> -n <Namespace名称>
kubectl describe certificaterequest <证书请求名称> -n <Namespace名称>
kubectl delete -f cert-manager.yaml