wget https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml root@i-tsfhx8p6:~/qke-k8s/cert-manager# vi cert-manager.yaml root@i-tsfhx8p6:~/qke-k8s/cert-manager# kubectl apply -f cert-manager.yaml customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created namespace/cert-manager unchanged serviceaccount/cert-manager-cainjector created serviceaccount/cert-manager created serviceaccount/cert-manager-webhook created clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrole.rbac.authorization.k8s.io/cert-manager-view created clusterrole.rbac.authorization.k8s.io/cert-manager-edit created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created role.rbac.authorization.k8s.io/cert-manager:leaderelection created role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created service/cert-manager created service/cert-manager-webhook created deployment.apps/cert-manager-cainjector created deployment.apps/cert-manager created deployment.apps/cert-manager-webhook created mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
apiVersion:cert-manager.io/v1 kind:ClusterIssuer metadata: name:tls spec: acme: # You must replace this email address with your own. # Let's Encrypt will use this to contact you about expiring # certificates, and issues related to your account. email:[email protected] server:https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource that will be used to store the account's private key. name:issuer-account-key # Add a single challenge solver, HTTP01 using nginx solvers: -http01: ingress: class:nginx
root@i-tsfhx8p6:~/qke-k8s/cert-manager/alidns-webhook# kubectl apply -f certificate.yaml certificate.cert-manager.io/lishuai-fun-tls created root@i-tsfhx8p6:~/qke-k8s/cert-manager/alidns-webhook# kubectl get secrets NAME TYPE DATA AGE default-token-v24ww kubernetes.io/service-account-token 3 25h lishuai-fun-tls-4wcmc Opaque 1 1s qingcloud kubernetes.io/dockerconfigjson 1 25h root@i-tsfhx8p6:~/qke-k8s/cert-manager/alidns-webhook# kubectl get certificate NAME READY SECRET AGE lishuai-fun-tls False lishuai-fun-tls 10s
root@i-tsfhx8p6:~/qke-k8s/cert-manager/alidns-webhook# kubectl get certificate NAME READY SECRET AGE lishuai-fun-tls True lishuai-fun-tls 5m27s root@i-tsfhx8p6:~/qke-k8s/cert-manager/alidns-webhook# kubectl get secrets NAME TYPE DATA AGE default-token-v24ww kubernetes.io/service-account-token 3 25h lishuai-fun-tls kubernetes.io/tls 2 2m14s #此时DATA 变为2,说明里面存着真正的证书文件 qingcloud kubernetes.io/dockerconfigjson 1 25h
root@i-tsfhx8p6:~/qke-k8s/cert-manager/ingress#catalertmanager-ingress.yaml apiVersion:networking.k8s.io/v1 kind:Ingress metadata: name:alertmanager namespace:monitoring spec: rules: -host:alertmanager-qke.lishuai.fun http: paths: -backend: service: name:alertmanager-main port: number:9093 path:/ pathType:Prefix tls:# < placing a host in the TLS config will indicate a certificate should be created -hosts: -alertmanager-qke.lishuai.fun secretName:lishuai-fun-tls
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: sandbox spec: # Secret names are always required. secretName: example-com-tls duration: 2160h # 90d renewBefore: 360h # 15d subject: organizations: - jetstack # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: example.com isCA: false privateKey: algorithm: RSA encoding: PKCS1 size: 2048 usages: - server auth - client auth # At least one of a DNS Name, URI, or IP address is required. dnsNames: - example.com - www.example.com uris: - spiffe://cluster.local/ns/sandbox/sa/example ipAddresses: - 192.168.0.5 # Issuer references are always required. issuerRef: name: ca-issuer # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer # This is optional since cert-manager will default to this value however # if you are using an external issuer, change this to that issuer group. group: cert-manager.io