自动签发https证书工具 cert manager

kubectl create namespace cert-manager

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install --name cert-manager --namespace cert-manager --version v0.11.0 jetstack/cert-manager

kubectl apply -f issuer.yaml

# issuer.yaml
apiVersion: v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: admin@arfront.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: issuer-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

apiVersion: v1
kind: Ingress
metadata:
  name: my-nginx
  annotations: 
        # config the cluster issuer defined in issuer.yaml
	certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  rules:
  - host: test.nginx.com # dns for your ingress
    http:
      paths:
      - backend:
          serviceName: my-nginx
          servicePort: 443
        path: /
  tls: #enable tls 
  #secretName for this ingress,this will be stored in certificates
  - secretName: test-nginx-secret 
    hosts:
    - test.nginx.com  # dns for your ingress

kubectl apply -f tiller.yaml

#tiller.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: cert-manager
---
apiVersion: v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: cert-manager