cert manager搭配alidns-webhook实现ingress证书签发

安装 cert manager

如果已经安装 cert manager 则不用执行这一步

helm repo add jetstack https://charts.jetstack.io

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.11.0 \
  --set installCRDs=true

参考资料

https://cert-manager.io/docs/installation/helm/#installing-with-helm

安装 ingress

helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update

helm upgrade --install ingress-nginx nginx-stable/nginx-ingress \
  --namespace ingress-nginx --create-namespace \
  --set controller.kind=daemonset \
  --set controller.hostNetwork=true \
  --set controller.setAsDefaultIngress=true

参考资料

https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/

安装 alidns-webhook

参考文档

https://cert-manager.io/docs/configuration/acme/dns01/#webhook
https://github.com/DEVmachine-fr/cert-manager-alidns-webhook
https://help.aliyun.com/document_detail/409430.html#section-hec-0qh-xf5

安装 cert-manager-alidns-webhook

helm repo add cert-manager-alidns-webhook https://devmachine-fr.github.io/cert-manager-alidns-webhook
helm repo update
helm upgrade -i alidns-webhook cert-manager-alidns-webhook/alidns-webhook --set groupName=stacs.cn

创建阿里云 AccessKey ID 和 AccessKey Secret 的 secret

kubectl create secret generic alidns-secrets --from-literal="access-token=yourtoken" --from-literal="secret-key=yoursecretkey"

letsencrypt-staging.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging # 切换为正式的时候改为 letsencrypt 即可
spec:
  acme:
    # email: contact@example.com # 可能不是必须的，未验证
    # 尽量先用 staging 的 api，通过之后再换正式的
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # 正式申请证书的API
    # server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - dns01:
        webhook:
            config:
              accessTokenSecretRef:
                name: alidns-secrets # 上面创建的 secret 名
                key: access-token
              regionId: "" # 可以为空
              secretKeySecretRef:
                name: alidns-secrets
                key: secret-key
            groupName: example.com # 改成实际的域名
            solverName: alidns-solver

创建 ClusterIssuer

kubectl apply -f letsencrypt-staging.yaml

example-tls.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-tls # 自定义
  # namespace: cattle-system # 需要使用证书的命名空间，可能不需要指定命名空间，未验证
spec:
  secretName: example-com-tls # 自定义
  commonName: example.com # 自定义
  dnsNames:
  - example.com # 改成实际的域名
  - "*.example.com" # 改成实际的域名
  issuerRef:
    name: letsencrypt-staging # letsencrypt-staging.yaml文件中定义的name，如果测试通过就可以都改成letsencrypt
    kind: ClusterIssuer

创建 Certificate

kubectl apply -f example-tls.yaml