使用CertManager + Aliyun获取泛域名证书

前提条件:

  1. Ingress Nginx 部署完成
  2. CertManager 部署完成

 

操作步骤:

1.安装AliDns的Webhook

# kubectl apply -f https://k8s.aecmate.com/v3/import/62n79xzfjqr99ssqpd69fwzzhkjmzctc77lg866dfkhs6
rzpbg2xlv_c-5ldc5.yaml
#kubectl get po -n cert-manager

2.配置webhook密钥,通过阿里云RAM创建一个账号,并授权DNSFullAccess权限,并创建如下secret

apiVersion: v1
data:
  access-key: xxxx
  secret-key: xxxxxx
kind: Secret
metadata:
  name: alidns-secret
  namespace: cert-manager
type: Opaque

3. 创建用于certmanager的ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-dns
spec:
  acme:
    email: you@me.xx
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-prod-dns
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          config:
            accessKeySecretRef:
              key: access-key
              name: alidns-secret
            region: ""
            secretKeySecretRef:
              key: secret-key
              name: alidns-secret
          groupName: acme.simcu.com
          solverName: alidns

4. 创建证书

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-mydomain-com
  namespace: default
spec:
  dnsNames:
  - test.mydomain.com # 要签发证书的域名
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod-dns # 引用 ClusterIssuer,指示采用 dns01 方式进行校验
  secretName: test-mydomain-com-tls # 最终签发出来的证书会保存在这个 Secret 里面

5. 等待证书签发

查看刚创建的证书状态是否为True, 为True后,证书将保存在上面配置的secretName中,可以在ingress中选择使用.

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注