### cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo add cert-manager-alidns-webhook https://devmachine-fr.github.io/cert-manager-alidns-webhook
helm pull jetstack/cert-manager --version v1.12.7
##helm pull cert-manager-alidns-webhook/alidns-webhook --version 0.7.0
ingressShim:
defaultIssuerName: "zerossl-production"
defaultIssuerKind: "ClusterIssuer"
installCRDs: true
extraArgs:
- --enable-certificate-owner-ref=true
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=8.8.8.8:53,114.114.114.114:53
helm install cert-manager -f values.yaml ./ -n cert-manager
wget https://raw.githubusercontent.com/pragkent/alidns-webhook/master/deploy/bundle.yaml
:%s/yourcompany/yourdomain/g
kubectl apply -f bundle.yaml
###cd alidns-webhook-0.7.0
###groupName: yourdomain.com
###helm install alidns-webhook -n cert-manager ./
###d.vimll.com:9888/root/plulic/cert-manager-alidns-webhook/cert-manager-alidns-webhook:0.2.0
##
###kubectl create secret generic alidns-secrets --from-literal="access-token=LTAI5tDQhbWYw1dTcc2RJUYJ" --from-literal="secret-key=jYXGqsKjPAfvJifod5S1Y9T3SSCq1X" -n istio-system
https://github.com/pragkent/alidns-webhook
https://cert-manager.io/docs/configuration/
https://cert-manager.io/docs/usage/ingress/
echo -n xxxxxxxxxxxxxxxxxxxxxx |base64
echo -n xxxxxxxxxxxxxxxxxxxxxxxxx |base64
#### cat issuer.yaml
###apiVersion: cert-manager.io/v1
###kind: Issuer
###metadata:
### name: letsencrypt
### namespace: istio-system
###spec:
### acme:
### email: xxxxxxx@xxxxxxxxxxxx.com
### privateKeySecretRef:
### name: letsencrypt
### server: https://acme-staging-v02.api.letsencrypt.org/directory
### solvers:
### - dns01:
### webhook:
### config:
### accessTokenSecretRef:
### key: access-token
### name: alidns-secrets
### regionId: cn-hangzhou
### secretKeySecretRef:
### key: secret-key
### name: alidns-secrets
### groupName: yourdomain.com
### solverName: alidns-solver
### selector:
### dnsNames:
### - yourdomain.com
### - '*.yourdomain.com'
### - '*.s3.yourdomain.com'
###
###kubectl apply -f issuer.yaml -n istio-system
###
#### cat yourdomain-cert.yaml
###apiVersion: cert-manager.io/v1
###kind: Certificate
###metadata:
### name: yourdomain-tls
###spec:
### secretName: yourdomain-com-tls
### commonName: yourdomain.com
### dnsNames:
### - yourdomain.com
### - "*.yourdomain.com"
### - "*.s3.yourdomain.com"
### issuerRef:
### name: letsencrypt
### kind: Issuer
###
###kubectl apply -f yourdomain-cert.yaml -n istio-system
# cat alidns-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: alidns-secret
namespace: cert-manager
data:
access-key: xxxxxxxxxxxxxxxxxxxxx
secret-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
kubectl apply -f alidns-secret.yaml -n cert-manager
# cat clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: xxxxxxxxxxxx@xxxxxxxxxx.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.yourdomain.com
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key
selector:
dnsNames:
- '*.yourdomain.com'
- '*.s3.yourdomain.com'
# cat yourdomain-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: yourdomain-tls
spec:
secretName: yourdomain-com-tls
#commonName: yourdomain.com
dnsNames:
#- yourdomain.com
- "*.yourdomain.com"
- "*.s3.yourdomain.com"
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
#name: letsencrypt
#kind: Issuer
kubectl apply -f clusterissuer.yaml -n cert-manager
kubectl apply -f yourdomain-cert.yaml -n istio-system
#查看证书
kubectl get secrets -n istio-system yourdomain.com-tls -o json |jq --raw-output '.data["tls.crt"]'|base64 -d
kubectl get secrets -n istio-system yourdomain.com-tls -o=jsonpath='{.data.tls\.crt}'|base64 --decode > /etc/nginx/ssl/fullchain.cer
kubectl get secrets -n istio-system yourdomain.com-tls -o=jsonpath='{.data.tls\.key}'|base64 --decode > /etc/nginx/ssl/yourdomain.com.key
openssl x509 -in fullchain.cer -text
kubectl create secret tls yourdomain.com-tls --cert=/root/.acme.sh/yourdomain.com/fullchain.cer --key=/root/.acme.sh/yourdomain.com/yourdomain.com.key -n istio-system
## zerossl
kubectl create secret generic \
zero-ssl-eabsecret \
--namespace=cert-manager \
--from-literal=secret='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
# cat zerosslclusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: zerossl-production
spec:
acme:
# ZeroSSL ACME server
server: https://acme.zerossl.com/v2/DV90
email: xxxxx@xxxxxxxx.com
# name of a secret used to store the ACME account private key
privateKeySecretRef:
name: zerossl-prod
# for each cert-manager new EAB credencials are required
externalAccountBinding:
keyID: xxxxxxxxxxxxxxxx
keySecretRef:
name: zero-ssl-eabsecret
key: secret
keyAlgorithm: HS256
solvers:
- dns01:
webhook:
groupName: acme.yourdomain.com
solverName: alidns
config:
region: ""
accessKeySecretRef:
name: alidns-secret
key: access-key
secretKeySecretRef:
name: alidns-secret
key: secret-key
selector:
dnsNames:
- yourdomain.com
- "*.yourdomain.com"
- "*.s3.yourdomain.com"
# cat zerosslyourdomain-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: yourdomain-tls-zerossl
spec:
secretName: yourdomain-tls
#commonName: yourdomain.com
dnsNames:
- "yourdomain.com"
- "*.yourdomain.com"
- "*.s3.yourdomain.com"
issuerRef:
name: zerossl-production
kind: ClusterIssuer
#name: letsencrypt
#kind: Issuer
kubectl apply -f zerosslclusterissuer.yaml
kubectl apply -f zerosslyourdomain-cert.yaml -n istio-system
VIM Linux Life