简单记录,使用 cloudflare dns 自动完成域名 ssl 证书申请并配置到 ingress 的关键步骤。
安装
使用 helm 安装方法如下:
helm repo add jetstack https://charts.jetstack.io --force-update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.16.1 \
--set crds.enabled=true配置
使用 cloudflare 密钥自动认证
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: xxxxxxxxxx定义 issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: issuer01
spec:
acme:
email: XXXXXX
# 配置证书目录,演练环境使用Staging环境,正式环境使用另一个
#server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: issuer-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token示例程序
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami-deploy
spec:
replicas: 1
selector:
matchLabels:
app: whoami
release: canary
template:
metadata:
labels:
app: whoami
release: canary
spec:
containers:
- name: whoami
image: traefik/whoami:v1.10
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
selector:
app: whoami
release: canary
ports:
- name: http
port: 80
targetPort: 80 # pod port
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-whoami
annotations:
cert-manager.io/cluster-issuer: issuer01
# kubernetes.io/tls-acme: "true"
spec:
ingressClassName: nginx
rules:
- host: whoami.hzc1.skybyte.me
http:
paths:
- backend:
service:
name: whoami
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- whoami.hzc1.skybyte.me
secretName: whoami-hzc1-skybyte-me-tls # Name of secret automatically generated.