前提条件:
- Ingress Nginx 部署完成
- CertManager 部署完成
操作步骤:
1.安装AliDns的Webhook
# kubectl apply -f https://k8s.aecmate.com/v3/import/62n79xzfjqr99ssqpd69fwzzhkjmzctc77lg866dfkhs6 rzpbg2xlv_c-5ldc5.yaml #kubectl get po -n cert-manager
2.配置webhook密钥,通过阿里云RAM创建一个账号,并授权DNSFullAccess权限,并创建如下secret
apiVersion: v1 data: access-key: xxxx secret-key: xxxxxx kind: Secret metadata: name: alidns-secret namespace: cert-manager type: Opaque
3. 创建用于certmanager的ClusterIssuer
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod-dns spec: acme: email: you@me.xx preferredChain: "" privateKeySecretRef: name: letsencrypt-prod-dns server: https://acme-v02.api.letsencrypt.org/directory solvers: - dns01: webhook: config: accessKeySecretRef: key: access-key name: alidns-secret region: "" secretKeySecretRef: key: secret-key name: alidns-secret groupName: acme.simcu.com solverName: alidns
4. 创建证书
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-mydomain-com namespace: default spec: dnsNames: - test.mydomain.com # 要签发证书的域名 issuerRef: kind: ClusterIssuer name: letsencrypt-prod-dns # 引用 ClusterIssuer,指示采用 dns01 方式进行校验 secretName: test-mydomain-com-tls # 最终签发出来的证书会保存在这个 Secret 里面
5. 等待证书签发
查看刚创建的证书状态是否为True, 为True后,证书将保存在上面配置的secretName中,可以在ingress中选择使用.