为 cert-manager 提供 alidns 的 DNS01 校验。
- 你已经安装好 cert-manager 并且开启了 webhook 支持 install cert-manager。
- cert-manager 低版本可能存在不兼容问题,v1.0.3下测试通过。
- 你的域名通过阿里云DNS做解析,并已获得api权限。
git clone [email protected]:tttlkkkl/alidns.git
cd deploy
helm install --name alidns --namespace cert-manager alidns/
- 创建阿里云 api 密钥:
你也可以与
regionId
同级别的直接设置accessKeyId
和accessKeySecret
字段,但是不推荐这样做。
apiVersion: v1
kind: Secret
metadata:
name: alibaba-api-dns-secret
data:
accessKeyId: <your aliyun accessKeyId>
accessKeySecret: <your aliyun accessKeySecret>
type: Opaque
- 创建 ClusterIssuer
# ClusterIssuer
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsNames:
- '*.lihuaio.com'
dns01:
webhook:
config:
accessKeyRef:
accessKeySecretKey: accessKeySecret
accessKeyIdKey: accessKeyId
name: alibaba-api-dns-secret
regionId: "cn-shenzhen"
accessKeySecret:
accessKeyId:
ttl: 600
groupName: acme.lihuaio.com
- 创建 Certificate 证书对象,此步骤会创建名为 lihuaio.com 的证书对象。
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: lihuaio.com
namespace: default
spec:
secretName: lihuaio.com
commonName: '*.lihuaio.com'
dnsNames:
- "*.lihuaio.com"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
- 创建:ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: lihuaio-ingress
namespace: default
annotations:
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- '*.lihuaio.com'
secretName: lihuaio.com # 这个对应 Certificate 中的 secretName
rules:
- host: xx.lihuaio.com
http:
paths:
- path: /
backend:
serviceName: backend-service
servicePort: 80