cert-manager普通签发证书的时候,通常是DNS的A记录已经解析到相关的Ingress前置的LB 公网IP了。
第一种情况,有公网IP的证书签发,验证方式是http
那准备好cluster-issuer.yaml
1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4 name: letsencrypt-prod1
5spec:
6 acme:
7 server: https://acme-v02.api.letsencrypt.org/directory
8 email: zhangranrui@rendoumi.com
9 privateKeySecretRef:
10 name: letsencrypt-prod1
11 solvers:
12 - http01:
13 ingress:
14 class: nginx
第二种情况,如果集群是部署在内网,根本没有公网ip,就不能通过80和443的验证来签发了,只能用DNS校验的方式来签发证书
那以cloudflare托管的DNS为例,我们需要拿到CF的dns-api的token,然后声明,再定义ClusterIssuer
1---
2apiVersion: v1
3kind: Secret
4metadata:
5 name: cloudflare-api-token-secret
6type: Opaque
7stringData:
8 api-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9
10---
11apiVersion: cert-manager.io/v1
12kind: ClusterIssuer
13metadata:
14 name: letsencrypt-prod2
15spec:
16 acme:
17 server: https://acme-v02.api.letsencrypt.org/directory
18 email: zhangranrui@rendoumi.com
19 privateKeySecretRef:
20 name: letsencrypt-prod2
21 solvers:
22 - dns01:
23 cloudflare:
24 email: zhangranrui@rendoumi.com
25 apiTokenSecretRef:
26 name: cloudflare-api-token-secret
27 key: api-token
那第一种和第二种的区别就是solvers是不同的。
那最后annouce ingress即可自动签发证书,选择不同cert-manager.io/cluster-issuer就可以选择不同的签发方式。
1apiVersion: networking.k8s.io/v1
2kind: Ingress
3metadata:
4 name: test-rednoumi-com-ingress
5 annotations:
6 cert-manager.io/cluster-issuer: "letsencrypt-prod1"
7spec:
8 ingressClassName: nginx
9 tls:
10 - hosts:
11 - test.rendoumi.com
12 secretName: test-rendoumi-com-tls
13 rules:
14 - host: test.rendoumi.com
15 http:
16 paths:
17 - path: /
18 pathType: Prefix
19 backend:
20 service:
21 name: nginx
22 port:
23 number: 80
