Kubernetes practical skills: use cert manager to issue free certificates for DNSPod domain names

This article excerpts from kubernetes Learning notes

summary

If your domain name uses DNSPod management , Want to be in Kubernetes Automatically issue free certificates for domain names on , have access to cert-manager To achieve .

cert-manager Support a lot of dns provider, But it does not support domestic dnspod, however cert-manager Provides Webhook Mechanism to extend provider, The community also has dnspod Of provider Realization . This article will show how to combine cert-manager And cert-manager-webhook-dnspod To achieve dnspod Automatically issue free certificates for domain names on .

Basic knowledge of

It is recommended to read first Use cert-manager Issue free certificates .

establish DNSPod secret key

stay DNSPod Console , stay Key management Create a key in , Then copy the automatically generated ID and Token And save it , For the next step .

install cert-manager-webhook-dnspod

Read the previously recommended articles , Suppose that... Is already installed in the cluster cert-manager, Use helm To install cert-manager-webhook-dnspod .

First prepare for helm The configuration file (dnspod-webhook-values.yaml):

groupName: example.your.domain #  Write a logo  group  The name of , You can write whatever you want 

secrets: #  Will be generated before  id  and  token  Paste below 
  apiID: "<ID>"
  apiToken: "<Token>"

clusterIssuer:
  enabled: true #  Automatically create a  ClusterIssuer
  email: [email protected] #  Fill in your email address 

See... For complete configuration values.yaml

And then use helm Installation :

git clone --depth 1 https://github.com/qqshfox/cert-manager-webhook-dnspod.git
helm upgrade --install -n cert-manager -f dnspod-webhook-values.yaml cert-manager-webhook-dnspod ./cert-manager-webhook-dnspod/deploy/cert-manager-webhook-dnspod

Create certificate

establish Certificate Object to issue a free certificate :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com-crt
  namespace: istio-system
spec:
  secretName: example-com-crt-secret #  The certificate is saved in this  secret  in 
  issuerRef:
    name: cert-manager-webhook-dnspod-cluster-issuer #  Here we use the automatically generated  ClusterIssuer
    kind: ClusterIssuer
    group: cert-manager.io
  dnsNames: #  Fill in the list of domain names that need to issue certificates , Make sure the domain name is using  dnspod  Managed 
  - example.com
  - test.example.com

Wait for the state to become Ready Indicates that the issuance was successful :

$ kubectl -n istio-system get certificates.cert-manager.io
NAME              READY   SECRET                   AGE
example-com-crt   True    example-com-crt-secret   25d

If the issuance fails, you can describe Take a look at the reason :

kubectl -n istio-system describe certificates.cert-manager.io example-com-crt

Use certificate

After the certificate is successfully issued, it will be saved to our designated secret in , Here are some examples .

stay ingress Use in :

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: test.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web
          servicePort: 80
  tls:
    hosts:
    - test.example.com
    secretName: example-com-crt-secret #  Reference Certificate  secret

stay istio Of ingressgateway Use in :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: example-gw
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: HTTP-80
      protocol: HTTP
    hosts:
    - example.com
    - test.example.com
    tls:
      httpsRedirect: true # http  Redirect  https ( mandatory  https)
  - port:
      number: 443
      name: HTTPS-443
      protocol: HTTPS
    hosts:
    - example.com
    - test.example.com
    tls:
      mode: SIMPLE
      credentialName: example-com-crt-secret #  Reference Certificate  secret
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: example-vs
  namespace: test
spec:
  gateways:
  - istio-system/example-gw #  Forwarding rules are bound to  ingressgateway, Expose the service 
  hosts:
  - 'test.example.com'
  http:
  - route:
    - destination:
        host: example
        port:
          number: 80