在cert-manager文档中:将注释cert-manager.io/cluster-issuer: acme-issuer添加到Ingress对象应触发填充程序,向此发行者请求证书并存储证书(不带任何名称空间?) (用哪个名字?)。
我尝试了此操作,但没有执行任何操作。将tls:部分添加到Ingress的yaml定义中会触发填充程序,请求证书并将其存储在与Ingress相同的名称空间中。
这意味着该文档不正确,还是应该在没有tls:部分的情况下真正起作用?
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: acme-issuer
spec:
acme:
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: acme-issuer
kubernetes.io/ingress.class: nginx
name: my-ingress-name
namespace: mynamespace
spec:
rules:
- host: some.domain.eu
http:
paths:
- backend:
serviceName: my-service-name
servicePort: 5000
path: /
tls:
- hosts:
- some.domain.eu
secretName: secret-storage-key-for-tls-cert
答案 0 :(得分:1)
如果您正确地创建了颁发者,则需要创建一个证书,以便颁发者可以使用证书资源中的信息来颁发证书,并填充机密:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certname
spec:
secretName: secretName
issuerRef:
name: letsencrypt-prod
commonName: <the CN>
dnsNames:
- <name>
拥有此资源后,它将创建一个包含TLS证书的秘密,并将其存储在secretName中。
答案 1 :(得分:0)
我正在像您一样使用,并且可以创建我的TLS。但是privateKeySecretRef的名称是ClusterIssuer的原始名称。 ingress上需要tls部分。
使用:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: my@email.com
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
检查证书状态以进行调试:
kubectl get certificate -o wide
如果状态为CertificateRequest
kubectl get CertificateRequest -o wide