cert-manager 是一个云原生证书管理开源项目,用于在 Kubernetes 集群中提供 HTTPS 证书并自动续期,支持 Let’s Encrypt / HashiCorp / Vault 这些免费证书的签发。
安装 cert-manager
1
2
3
4
| helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.4.0 \
--set installCRDs=true
|
安装时必须设置installCRDs=true,否则后面安装Issuer会抛出下面错误:
error: no matches for kind “Issuer” in version “cert-manager.io/v1”
安装 Issuer
在安装Issuer之前,先去 Cloudflare 申请 API Token:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: xxx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cert-manager-issuer
spec:
acme:
email: name@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-issuer-account-key
solvers:
- dns01:
cloudflare:
email: name@example.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
|
Sample