配置步骤
-
安装cert-manager
注意镜像版本
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
-
创建route53-secret
我的域名在aws上,所以需要配置aws的secret
kubectl create secret generic route53-secret --from-literal=access-key-id="xxxxxxxxxxxxxxxx" --from-literal=secret-access-key="xxxxxxxxxxxxxxxxxxxxxxxx" --namespace cert-manager
-
创建ClusterIssuer连接证书颁发机构Lets Encrypt
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: email: your@email.com #改成自己的邮箱地址,主要用来提示证书过期 server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-prod-private-key solvers: - dns01: route53: region: us-east-1 # 你的 AWS 区域,随便填就行,不填会报错 accessKeyIDSecretRef: name: route53-secret key: access-key-id secretAccessKeySecretRef: name: route53-secret key: secret-access-key
-
创建证书
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-certificate namespace: prod spec: secretName: smh-tls-secret issuerRef: name: letsencrypt-prod kind: ClusterIssuer dnsNames: - yourdomain #自己的域名
查看certificate状态是否为true
kubectl get certificate -A
-
配置ingress
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: your-ingress namespace: default annotations: # 这里可以加入 cert-manager 或阿里云 ingress 的其他注解 spec: tls: - hosts: - yourdomain #自己的域名 secretName: smh-tls-secret rules: - host: yourdomain #自己的域名 http: paths: - path: / pathType: Prefix backend: service: name: your-service port: number: 80
回滚
-
ClusterIssuer颁发的证书和证书请求:
kubectl delete certificate --all -n amespace kubectl delete certificaterequest --all -n amespace
-
Let’s Encrypt 颁发证书时创建的订单和挑战:
kubectl delete order --all -n amespace kubectl delete challenge --all -n namespace
-
删除 ClusterIssuer
kubectl delete clusterissuer letsencrypt-prod
-
删除 Secret
kubectl delete secret letsencrypt-prod-private-key -n cert-manager kubectl delete secret route53-secret -n cert-manager
问题:
-
cert-manager日志显示:only one of access and secret key was provided:
是因为ClusterIssuer中只配置了一个secretAccessKeySecretRef参数,修改后可能又会发现无法创建,类似于“ unknown field “spec.acme.solvers[0].dns01.route53.accessKeyIDSecretRef” ”这样的报错,这是因为cert-manager的版本太老,没有这个参数,需要升级版本,目前最新的是v1.17.0