自动签发https证书工具 cert manager

Posted flyingaway

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了自动签发https证书工具 cert manager相关的知识,希望对你有一定的参考价值。

最近cert manager进行升级,不再支持0.11以下的版本了,所以进行升级。但是发现不能直接通过更改镜像版本来升级,在Apps里的版本也是旧版本,部署后发现不支持,于是自已动手,根据文档整理了一套部署cert manager的过程。

## Steps
1. create namespace
`kubectl create namespace cert-manager`
2. install custome resource definition
`kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml`
3. label cert-manager as disable-validation
`kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true`
4. add jetstack helm repos
`helm repo add jetstack https://charts.jetstack.io`
5. update local helm chart repository
`helm repo update`
6. install cert-manager with helm chart
`helm install --name cert-manager --namespace cert-manager --version v0.11.0 jetstack/cert-manager`
7. create a clusterissuer
`kubectl apply -f issuer.yaml`

```
# issuer.yaml
apiVersion: v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let‘s Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: admin@arfront.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account‘s private key.
name: issuer-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
```
8. config annotation in your ingress
```
apiVersion: v1
kind: Ingress
metadata:
name: my-nginx
annotations:
# config the cluster issuer defined in issuer.yaml
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: test.nginx.com # dns for your ingress
http:
paths:
- backend:
serviceName: my-nginx
servicePort: 443
path: /
tls: #enable tls
#secretName for this ingress,this will be stored in certificates
- secretName: test-nginx-secret
hosts:
- test.nginx.com # dns for your ingress
```
## Troubleshooting
1. serviceaccount Tiller not found
`kubectl apply -f tiller.yaml`
```
#tiller.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: cert-manager
---
apiVersion: v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: cert-manager
```

以上是关于自动签发https证书工具 cert manager的主要内容,如果未能解决你的问题,请参考以下文章

https双向认证时证书签发和配置

Kubernetes集群——Cert-manager与Let'sencrypt证书自动管理

K8s 中使用 cert-manager 申请免费 Https 证书

APISIX Ingress 如何使用 Cert Manager 管理证书

Cert-Manager 实现 K8s 服务域名证书自动化续签

Cert Manager 申请SSL证书流程及相关概念-二