自动签发https证书工具 cert manager

• 2019 年 11 月 8 日
• 筆記

最近cert manager进行升级，不再支持0.11以下的版本了，所以进行升级。但是发现不能直接通过更改镜像版本来升级，在Apps里的版本也是旧版本，部署后发现不支持，于是自已动手，根据文档整理了一套部署cert manager的过程。

Steps 1. create namespace

kubectl create namespace cert-manager

2. install custome resource definition

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml

3. label cert-manager as disable-validation

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

4. add jetstack helm repos

helm repo add jetstack https://charts.jetstack.io

5. update local helm chart repository

helm repo update

6. install cert-manager with helm chart

helm install --name cert-manager --namespace cert-manager --version v0.11.0 jetstack/cert-manager

7. create a clusterissuer

kubectl apply -f issuer.yaml

# issuer.yaml  apiVersion: v1  kind: ClusterIssuer  metadata:    name: letsencrypt-prod  spec:    acme:      # You must replace this email address with your own.      # Let's Encrypt will use this to contact you about expiring      # certificates, and issues related to your account.      email: [email protected]      server: https://acme-v02.api.letsencrypt.org/directory      privateKeySecretRef:        # Secret resource used to store the account's private key.        name: issuer-key      # Add a single challenge solver, HTTP01 using nginx      solvers:      - http01:          ingress:            class: nginx

8. config annotation in your ingress

apiVersion: v1  kind: Ingress  metadata:    name: my-nginx    annotations:          # config the cluster issuer defined in issuer.yaml  	certmanager.k8s.io/cluster-issuer: letsencrypt-prod  spec:    rules:    - host: test.nginx.com # dns for your ingress      http:        paths:        - backend:            serviceName: my-nginx            servicePort: 443          path: /    tls: #enable tls    #secretName for this ingress,this will be stored in certificates    - secretName: test-nginx-secret      hosts:      - test.nginx.com  # dns for your ingress

Troubleshooting 1. serviceaccount Tiller not found

kubectl apply -f tiller.yaml

#tiller.yaml  apiVersion: v1  kind: ServiceAccount  metadata:    name: tiller    namespace: cert-manager  ---  apiVersion: v1  kind: ClusterRoleBinding  metadata:    name: tiller  roleRef:    apiGroup: rbac.authorization.k8s.io    kind: ClusterRole    name: cluster-admin  subjects:    - kind: ServiceAccount      name: tiller      namespace: cert-manager