$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml namespace/ingress-nginx created configmap/nginx-configuration created configmap/tcp-services created configmap/udp-services created serviceaccount/nginx-ingress-serviceaccount created clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created role.rbac.authorization.k8s.io/nginx-ingress-role created rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created deployment.extensions/nginx-ingress-controller created
$ kubectl apply \ -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/00-crds.yaml customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
$ helm install --name cert-manager --namespace kube-system stable/cert-manager NOTES: cert-manager has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them can be found in our documentation:
For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the `ingress-shim` documentation:
apiVersion:certmanager.k8s.io/v1alpha1 kind:ClusterIssuer metadata: name:letsencrypt-staging spec: acme: # The ACME server URL server:https://acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration email:<[email protected]> # Name of a secret used to store the ACME account private key privateKeySecretRef: name:letsencrypt-staging # Enable the HTTP-01 challenge provider http01:{}
$ kubectl describe ingress Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CREATE 14m nginx-ingress-controller Ingress default/echo-ingress Normal UPDATE 1m (x2 over 13m) nginx-ingress-controller Ingress default/echo-ingress Normal CreateCertificate 1m cert-manager Successfully created Certificate "letsencrypt-staging"
发现证书已经申请成功
1 2 3 4 5 6 7 8
$ wget --save-headers -O- https://echo.example.com URL transformed to HTTPS due to an HSTS policy --2018-12-11 14:38:24-- https://echo.example.com/ Resolving echo.example.com (echo.example.com)... 203.0.113.0 Connecting to echo.example.com (echo.example.com)|203.0.113.0|:443... connected. ERROR: cannot verify echo.example.com's certificate, issued by ‘CN=Fake LE Intermediate X1’: Unable to locally verify the issuer's authority. To connect to echo.example.com insecurely, use `--no-check-certificate'.
apiVersion:certmanager.k8s.io/v1alpha1 kind:ClusterIssuer metadata: name:letsencrypt-prod spec: acme: # The ACME server URL server:https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email:<[email protected]> # Name of a secret used to store the ACME account private key privateKeySecretRef: name:letsencrypt-prod # Enable the HTTP-01 challenge provider http01:{}
创建Issuer
1 2
$ kubectl create -f letsencrypt-clusterissuer-prod.yaml clusterissuer.certmanager.k8s.io/letsencrypt-prod created
$ kubectl describe certificate letsencrypt-prod Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Generated 2m53s cert-manager Generated new private key Normal OrderCreated 2m53s cert-manager Created Order resource "letsencrypt-prod-3570505900" Normal OrderComplete 77s cert-manager Order "letsencrypt-prod-3570505900" completed successfully Normal CertIssued 77s cert-manager Certificate issued successfully
发现证书已经申请成功
我们可以通过 kubectl describe order 查看证书订单,通过kubectl describe challenge查看证书验证通道,证书默认是有有效期的,在证书失效以前Cert-Manager会帮我申请新证书。