个人建议使用安装更快,比helm快,还要等待安装crd
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
#官网
https://cert-manager.io/docs/installation/kubectl/
#创建自签的ClusterIssuer
cat > signing-custom.yaml <<-EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-clusterissuer
spec:
selfSigned: {}
---
#生成证书
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: java-selfsigned-ca
namespace: cert-manager
spec:
isCA: true
commonName: java-selfsigned-ca
secretName: java-selfsigned-secret # 生成的证书名
duration: 360h
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-clusterissuer # 对应上面清单中创建的clusterissuer名称
kind: ClusterIssuer
group: cert-manager.io
---
#生成以这个证书作为CA的ClusterIssuer,其他证书由这个CA签发
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: my-ca-issuer
spec:
ca:
secretName: java-selfsigned-secret # 对应以上Certificate资源证书名
EOF
查看你的证书
kubectl get clusterissuers,certificate
kubectl -n cert-manager get secret
手动签发ssl自签证书
cat > server-tls.yaml <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: java-com
spec:
secretName: java-tls
duration: 12160h # 你想要的时间
renewBefore: 3600h #
subject:
organizations:
- jetstack
commonName: abc.exchangs.top
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- exchangs.top
- abc.exchangs.top
ipAddresses:
- 192.168.0.53
issuerRef:
name: my-ca-issuer # 指定上面创建好的用于签名的CA
kind: ClusterIssuer
group: cert-manager.io
EOF
最后ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: springboot-server
#annotations:
#cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- abc.exchangs.top
- bbc.exchangs.top
secretName: java-tls
rules:
- host: abc.exchangs.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: springboot-server
port:
number: 8080
- host: bbc.exchangs.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: springboot-server
port:
number: 8080
最后访问
curl -kivL -H 'Host: bbc.exchangs.top' 'https://192.168.0.53'