1 安装 helm
非 Debian 可以参考官方文档进行安装:
curl <https://baltocdn.com/helm/signing.asc> | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
apt-get install apt-transport-https --yes
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] <https://baltocdn.com/helm/stable/debian/> all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
apt-get update
apt-get install helm2 使用 helm 安装 cert-manage
v1.12.3 版本为当前 cert-manager 最新版本,最新版本可在官方仓库 中获取
安装文档可参考:https://cert-manager.io/docs/installation/helm/
# Add the Helm repository
helm repo add jetstack <https://charts.jetstack.io>
# Update your local Helm chart repository cache
helm repo update
# Install cert-manager
helm install \\
cert-manager jetstack/cert-manager \\
--namespace cert-manager \\
--create-namespace \\
--version v1.15.3 \\
--set crds.enabled=true3 申请 CloudFlare 证书
参考文档:https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/
3.1 创建 cloudflare api token 密钥
Tokens can be created at User Profile > API Tokens > API Tokens. The following settings are recommended:
Permissions:
Zone - DNS - EditZone - Zone - Read
Zone Resources:
Include - All Zones
To create a new Issuer, first make a Kubernetes secret containing your new API token:
nano cert-manager/cloudflare-api-token-secret.yamlapiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: <API Token>kubectl apply -f cert-manager/cloudflare-api-token-secret.yaml3.2 创建 ClusterIssuer
nano cert-manager/letsencrypt-dns01-clusterissuer.yamlapiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns01
spec:
acme:
privateKeySecretRef:
name: letsencrypt-dns01
email: youremail@example.com
server: <https://acme-v02.api.letsencrypt.org/directory>
solvers:
- dns01:
cloudflare:
email: youremail@example.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token3.3 验证证书申请
nano cert/cert-thislab-tech.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-thislab-tech
namespace: default
spec:
dnsNames:
- thislab.tech
- "*.thislab.tech"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-dns01
secretName: cert-thislab-tech等待一会后查询证书状态,ready 变成 true 代表证书申请成功:
root@extend-master-1:~/argocd/public# kubectl get cert -o wide
NAME READY SECRET ISSUER STATUS AGE
cert-thislab-tech True cert-thislab-tech letsencrypt-dns01 Certificate is up to date and has not expired 10m4 申请 DNSPod 证书
4.1 创建腾讯云 API 密钥
登录腾讯云控制台,在 API密钥管理 中新建密钥,然后复制自动生成的 SecretId 和 SecretKey 并保存下来,以备后面的步骤使用。
4.2 安装 cert-manager-webhook-dnspod
参考文档:使用 cert-manager 为 dnspod 的域名签发免费证书
创建 helm 配置文件
创建 helm 配置文件:dnspod-webhook-values.yaml
groupName: acme.thislab.cn clusterIssuer: enabled: true name: dnspod # 自动创建的 ClusterIssuer 名称 ttl: 600 staging: false secretId: 'xxx' # 替换成你的 SecretId secretKey: 'xxx' # 替换成你的 SecretKey email: admin@thislab.cn # 用于接收证书过期的邮件告警 nodeSelector: kubernetes.io/arch: amd64使用 helm 进行安装
helm repo add roc <https://charts.imroc.cc> helm upgrade --install -f dnspod-webhook-values.yaml cert-manager-webhook-dnspod roc/cert-manager-webhook-dnspod -n cert-manager使用命令
kubectl get clusterissuer可以看到已经创建出名为 dnspod 的 clusterissuer 资源
4.3 验证证书申请
验证文档同样可参考:使用 cert-manager 为 dnspod 的域名签发免费证书
创建 certificate
创建示例证书申请文件:example-crt.yaml
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: thislab-cn namespace: default spec: dnsNames: - "thislab.cn" - "*.thislab.cn" issuerRef: kind: ClusterIssuer name: dnspod secretName: thislab-cn-cert创建证书申请资源:
kubectl apply -f example-crt.yaml等待状态变成 Ready 表示签发成功:
root@entry-ex:~# kubectl get certificates/example-crt NAME READY SECRET AGE example-crt True example-crt-secret 3h1m