cloud
cloud-native
云原生与 kubernetes
运维
部署证书

部署证书

定期证书申请 (仅供参考)

/root/.acme.sh/acme.sh --issue --force --dns dns_ali -d 'jansora.com' -d '*.jansora.com'  -d '*.kubernetes.jansora.com'  -d '*.fabric.jansora.com' -d '*.transfer.jansora.com'
 
# 拷贝到 master 节点
cp -r ~/.acme.sh/jansora.com_ecc/fullchain.cer /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.crt
cp -r ~/.acme.sh/jansora.com_ecc/jansora.com.key /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.key
rsync -avzr -e 'ssh' /etc/openresty/certs root@kubernetes.jansora.com:/etc/openresty/
 
## 刷新证书 (初次首建)
ssh -o StrictHostKeyChecking=no -p 22 kubernetes.jansora.com '
kubectl create secret tls wildcard.jansora.com \
  --key /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.key \
  --cert /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.crt \
  --namespace default \
  --dry-run=client -o yaml | kubectl apply -f -
'
 

配置参考

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - demo.kubernetes.jansora.com
      secretName: wildcard.jansora.com
  rules:
    - host: demo.kubernetes.jansora.com
      http:
        paths:
          - backend:
              service:
                name: demo-service
                port:
                  number: 8080
            pathType: Prefix
            path: /