参考文档

后面 traefik 自己集成了证书管理,参考文档后面补充

1 准备工作

先安装对应 webhook,这里我使用腾讯的 DNSPod,其它的从这里找

git clone https://github.com/qqshfox/cert-manager-webhook-dnspod.git

1.1.1 获取 apiID 与 apiToken

文档参考

访问这里创建并记录

20220404181425.png

2 部署 cert-manager

1
2
3
4
5
6
7
8
9
10
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
 --namespace cert-manager \ # 命名空间名称
 --create-namespace \ # 自动创建命名空间
 --version v1.7.2 \ # 版本
 --set ingressShim.defaultIssuerName=letsencrypt-prod \ # 下面三个参数是自动生成ClusterIssuer
 --set ingressShim.defaultIssuerKind=ClusterIssuer \
 --set ingressShim.defaultIssuerGroup=cert-manager.io \
 --set installCRDs=true # 创建cert-manager所需要的crd

2.1 查看

1
2
3
4
5
kubectl get pod -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-88c9c88d7-5vmdm               1/1     Running   0          3m2s
cert-manager-cainjector-857f5bd88c-bwkfg   1/1     Running   0          3m2s
cert-manager-webhook-5cd99556d6-jnl4w      1/1     Running   0          3m2s

3 部署 DNSPod webhook

1
2
3
4
5
helm install cert-manager-webhook-dnspod ./cert-manager-webhook-dnspod/deploy/cert-manager-webhook-dnspod \
    --namespace 部署的命名空间 \
    --set groupName=组名 \
    --set secrets.apiID=apiID,secrets.apiToken=apiToken \
    --set clusterIssuer.enabled=true,clusterIssuer.email=邮箱

3.1.1 查看

1
2
3
4
5
6
7
8
9
kubectl get pod -n cert-manager
NAME                                           READY   STATUS    RESTARTS   AGE
cert-manager-88c9c88d7-5vmdm                   1/1     Running   0          3m44s
cert-manager-cainjector-857f5bd88c-bwkfg       1/1     Running   0          3m44s
cert-manager-webhook-5cd99556d6-jnl4w          1/1     Running   0          3m44s
cert-manager-webhook-dnspod-7cbb554d57-bkdrx   1/1     Running   0          13s
kubectl get ClusterIssuer
NAME                                         READY   AGE
cert-manager-webhook-dnspod-cluster-issuer   True    16s

4 使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cat ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: cert-manager-webhook-dnspod-cluster-issuer # kubectl get ClusterIssuer查到的名字
  name: hello-ingress
spec:
  rules:
  - host: hello.ccops.cc
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 443
  tls:
  - hosts:
    - hello.ccops.cc
    secretName: hello-cert

4.1 查看 dns 有没有自动添加

20220406220810.png

4.2 访问查看证书

20220406220518.png

5 遇到的问题

  • 第一条 dns 解析能自动添加,第二条就没有了,日志也没任何报错

  • 证书没自动创建,申请证书太多

    1
    2
    kubectl describe certificaterequest -n tekton-pipelines tekton-cert-sqrgx
    Warning  OrderFailed      48m   cert-manager  Failed to wait for order resource "xxx-cert-sqrgx-3392950336" to become ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: xxx.ccops.cc: see https://letsencrypt.org/docs/rate-limits/