cert-manager普通签发证书的时候,通常是DNS的A记录已经解析到相关的Ingress前置的LB 公网IP了。
第一种情况,有公网IP的证书签发,验证方式是http
那准备好cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod1
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: zhangranrui@rendoumi.com
privateKeySecretRef:
name: letsencrypt-prod1
solvers:
- http01:
ingress:
class: nginx
第二种情况,如果集群是部署在内网,根本没有公网ip,就不能通过80和443的验证来签发了,只能用DNS校验的方式来签发证书
那以cloudflare托管的DNS为例,我们需要拿到CF的dns-api的token,然后声明,再定义ClusterIssuer
---
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
type: Opaque
stringData:
api-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod2
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: zhangranrui@rendoumi.com
privateKeySecretRef:
name: letsencrypt-prod2
solvers:
- dns01:
cloudflare:
email: zhangranrui@rendoumi.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
那第一种和第二种的区别就是solvers是不同的。
那最后annouce ingress即可自动签发证书,选择不同cert-manager.io/cluster-issuer就可以选择不同的签发方式。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-rednoumi-com-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod1"
spec:
ingressClassName: nginx
tls:
- hosts:
- test.rendoumi.com
secretName: test-rendoumi-com-tls
rules:
- host: test.rendoumi.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80