SundayHK
上篇 k8s cert-manager cloudflare 配置证书为Let's Encrypt,下面升级版本并使用ZeroSSL证书,同时兼顾初次安装
安装 cert-manager
添加 cert-manager 仓库
helm repo add jetstack https://charts.jetstack.io
helm repo update生成 values.yaml
helm show values jetstack/cert-manager > values.yamlhttps://cert-manager.io/docs/tutorials/zerossl/zerossl/
初次安装 values.yaml 修改建议
installCRDs: true
prometheus:
enabled: false
webhook:
timeoutSeconds: 10切换 zerossl
ingressShim:
defaultIssuerName: "zerossl-production"
defaultIssuerKind: "ClusterIssuer"如果想查看生成的清单,可以使用
helm template cert-manager jetstack/cert-manager -n cert-manager -f values.yaml > cert-manager.yaml安装 cert-manager
# 安装
# helm install cert-manager jetstack/cert-manager -n cert-manager --create-namespace -f values.yaml
# 升级
helm upgrade --install --namespace cert-manager --version v1.19.2 cert-manager jetstack/cert-manager -f values.yaml等待
kubectl wait --for=condition=Ready pods --all -n cert-manager
# pod/cert-manager-74cb9c54dd-rs446 condition met
# pod/cert-manager-cainjector-5b99cf9569-c6bpt condition met
# pod/cert-manager-webhook-b9999597-xtfl6 condition met获取 zerossl 账户ID和密钥
获取 CloudFlare API-Token
https://dash.cloudflare.com/profile/api-tokens
创建令牌->API 令牌模板: 编辑DNS
下面使用ClusterIssuer 所以secret 要求名称空间为cert-manager
https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/
# cat 1-zero-ssl-eabsecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: zero-ssl-eabsecret
namespace: cert-manager
stringData:
secret: <YOUR_ENCODED_ZEROSSL_EAB_HMAC_KEY># cat 2-cloudflare-api-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: <CloudFlare API Token># cat 3-clusterIssuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: zerossl-production
spec:
acme:
# ZeroSSL ACME server
server: https://acme.zerossl.com/v2/DV90
email: dummy-email@yopmail.com # OR YOUR EMAIL
# name of a secret used to store the ACME account private key
privateKeySecretRef:
name: zerossl-prod
# for each cert-manager new EAB credencials are required
externalAccountBinding:
keyID: <YOUR_ZEROSSL_EAB_KEY_ID>
keySecretRef:
name: zero-ssl-eabsecret
key: secret
# ACME DNS-01 provider configurations to verify domain
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token# cat 4-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-sundayhk-com
namespace: blog
spec:
secretName: wildcard-sundayhk-com-tls # 保存签发证书会到 Secret
issuerRef:
kind: ClusterIssuer
name: zerossl-production # 引用 ClusterIssuer
commonName: "sundayhk.com"
dnsNames:
- "*.sundayhk.com"
- "sundayhk.com"主域名+泛域名 第二个超时处理见下文
# cat 5-ingress.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: blog
labels:
app: containous
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: containous
task: whoami
template:
metadata:
labels:
app: containous
task: whoami
spec:
containers:
- name: containouswhoami
image: containous/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: blog
spec:
ports:
- name: http
port: 80
selector:
app: containous
task: whoami
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami-ingress
namespace: blog
spec:
ingressClassName: nginx
tls:
- hosts:
- "sundayhk.com"
secretName: sundayhk-com-tls
rules:
- host: sundayhk.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80kubectl apply -f 1-zero-ssl-eabsecret.yaml
kubectl apply -f 2-cloudflare-api-token-secret.yaml
kubectl apply -f 3-clusterIssuer.yaml
kubectl apply -f 4-certificate.yaml
kubectl apply -f 5-ingress.yaml$ kubectl get clusterissuer
NAME READY AGE
zerossl-production True 15s主域名+泛域名 第二个超时处理
root@arm-us1:~# kubectl get certificate,order,challenge -n blog
NAME READY SECRET AGE
certificate.cert-manager.io/sundayhk-com True sundayhk-com-tls 7m51s
certificate.cert-manager.io/wildcard-sundayhk-com False wildcard-sundayhk-com-tls 3m55s
NAME STATE AGE
order.acme.cert-manager.io/sundayhk-com-1-2142508995 valid 7m51s
order.acme.cert-manager.io/wildcard-sundayhk-com-1-1043454861 pending 3m55s
NAME STATE DOMAIN AGE
challenge.acme.cert-manager.io/wildcard-sundayhk-com-1-1043454861-2742518390 valid sundayhk.com 3m50s
challenge.acme.cert-manager.io/wildcard-sundayhk-com-1-1043454861-347502299 pending sundayhk.com 3m50s
# 查看pending
root@arm-us1:~# kubectl describe challenge.acme.cert-manager.io/wildcard-sundayhk-com-1-1043454861-347502299 -n blog
Name: wildcard-sundayhk-com-1-1043454861-347502299
Namespace: blog
...
Token: aV0cIb-E2V7TQ1E8MowsQYyhXXdH3I0dPsOFlOOdJCU
Type: DNS-01
URL: https://acme.zerossl.com/v2/DV90/chall/zbsmCjkuu2X1TAOlm80tYQ
Wildcard: false
Status:
Presented: false
Processing: false
Reason: unexpected non-ACME API error: context deadline exceeded
State: errored
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 4m27s cert-manager-challenges Challenge scheduled for processing
Normal Presented 4m22s cert-manager-challenges Presented challenge using DNS-01 challenge mechanism解决:第一次用泛域名申请,第二次泛域名+主域名再次申请
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-sundayhk-com
namespace: blog
spec:
secretName: wildcard-sundayhk-com-tls
issuerRef:
kind: ClusterIssuer
name: zerossl-production
commonName: "sundayhk.com"
dnsNames:
- "*.sundayhk.com"
# - "sundayhk.com" # 泛域名申请成功后,取消注释,再次apply
