{"id":819,"date":"2022-10-28T15:22:00","date_gmt":"2022-10-28T07:22:00","guid":{"rendered":"http:\/\/www.langmanezhuang.com\/index.php\/2022\/10\/28\/k3straefikcert-managerletsencrypt%e5%ae%9e%e7%8e%b0web%e6%9c%8d%e5%8a%a1%e5%85%a8https\/"},"modified":"2022-11-26T21:10:38","modified_gmt":"2022-11-26T13:10:38","slug":"k3straefikcert-managerletsencrypt%e5%ae%9e%e7%8e%b0web%e6%9c%8d%e5%8a%a1%e5%85%a8https","status":"publish","type":"post","link":"http:\/\/blog.langmanezhuang.com\/index.php\/2022\/10\/28\/k3straefikcert-managerletsencrypt%e5%ae%9e%e7%8e%b0web%e6%9c%8d%e5%8a%a1%e5%85%a8https\/","title":{"rendered":"k3s+traefik+cert-manager+letsencrypt\u5b9e\u73b0web\u670d\u52a1\u5168https"},"content":{"rendered":"

1. \u7b80\u4ecb<\/p>\n

\u968f\u7740 HTTPS \u4e0d\u65ad\u666e\u53ca\uff0c\u8d8a\u6765\u8d8a\u591a\u7684\u7f51\u7ad9\u90fd\u5728\u4ece HTTP \u5347\u7ea7\u5230 HTTPS\uff0c\u4f7f\u7528 HTTPS \u5c31\u9700\u8981\u5411\u6743\u5a01\u673a\u6784\u7533\u8bf7\u8bc1\u4e66\uff0c\u9700\u8981\u4ed8\u51fa\u4e00\u5b9a\u7684\u6210\u672c\uff0c\u5982\u679c\u9700\u6c42\u6570\u91cf\u591a\uff0c\u4e5f\u662f\u4e00\u7b14\u4e0d\u5c0f\u7684\u5f00\u652f\u3002cert-manager \u662f Kubernetes \u4e0a\u7684\u5168\u80fd\u8bc1\u4e66\u7ba1\u7406\u5de5\u5177\uff0c\u5982\u679c\u5bf9\u5b89\u5168\u7ea7\u522b\u548c\u8bc1\u4e66\u529f\u80fd\u8981\u6c42\u4e0d\u9ad8\uff0c\u53ef\u4ee5\u5229\u7528 cert-manager \u57fa\u4e8e ACME \u534f\u8bae\u4e0e Let’s Encrypt \u6765\u7b7e\u53d1\u514d\u8d39\u8bc1\u4e66\u5e76\u81ea\u52a8\u7eed\u671f\uff0c\u5b9e\u73b0\u6c38\u4e45\u514d\u8d39\u4f7f\u7528\u8bc1\u4e66\u3002<\/p>\n

Cert-Manager \u662f\u4e00\u4e2a\u4e91\u539f\u751f\u8bc1\u4e66\u7ba1\u7406\u5f00\u6e90\u9879\u76ee\uff0c\u7528\u4e8e\u5728 Kubernetes \u96c6\u7fa4\u4e2d\u63d0\u4f9b HTTPS \u8bc1\u4e66\u5e76\u81ea\u52a8\u7eed\u671f\uff0c\u652f\u6301 Let’s Encrypt \/ HashiCorp \/ Vault \u8fd9\u4e9b\u514d\u8d39\u8bc1\u4e66\u7684\u7b7e\u53d1\u3002\u5728 Kubernetes \u4e2d\uff0c\u53ef\u4ee5\u901a\u8fc7 Kubernetes Ingress \u548c Let’s Encrypt \u5b9e\u73b0\u5916\u90e8\u670d\u52a1\u7684\u81ea\u52a8\u5316 HTTPS\u3002<\/p>\n

\u67b6\u6784\u539f\u7406\u56fe<\/p>\n

 \"\"<\/p>\n

\u89e3\u91ca\u4e0b\u51e0\u4e2a\u5173\u952e\u7684\u8d44\u6e90:<\/p>\n

Issuer\/ClusterIssuer: \u7528\u4e8e\u6307\u793a cert-manager \u7528\u4ec0\u4e48\u65b9\u5f0f\u7b7e\u53d1\u8bc1\u4e66\uff0c\u672c\u6587\u4e3b\u8981\u8bb2\u89e3\u7b7e\u53d1\u514d\u8d39\u8bc1\u4e66\u7684 ACME \u65b9\u5f0f\u3002ClusterIssuer \u4e0e Issuer \u7684\u552f\u4e00\u533a\u522b\u5c31\u662f Issuer \u53ea\u80fd\u7528\u6765\u7b7e\u53d1\u81ea\u5df1\u6240\u5728 namespace \u4e0b\u7684\u8bc1\u4e66\uff0cClusterIssuer \u53ef\u4ee5\u7b7e\u53d1\u4efb\u610f namespace \u4e0b\u7684\u8bc1\u4e66\u3002
Certificate: \u7528\u4e8e\u544a\u8bc9 cert-manager \u6211\u4eec\u60f3\u8981\u4ec0\u4e48\u57df\u540d\u7684\u8bc1\u4e66\u4ee5\u53ca\u7b7e\u53d1\u8bc1\u4e66\u6240\u9700\u8981\u7684\u4e00\u4e9b\u914d\u7f6e\uff0c\u5305\u62ec\u5bf9 Issuer\/ClusterIssuer \u7684\u5f15\u7528\u3002<\/p>\n

2.\u51c6\u5907<\/p>\n

k3s\u96c6\u7fa4\u73af\u5883
\u6709\u6548\u7684\u57df\u540d\uff08\u5982\u679c\u662f\u56fd\u5185\u4e91\u670d\u52a1\u5668\u8fd8\u9700\u8981\u5907\u6848\uff09
\u4e00\u4e2a\u53ef\u767b\u5f55\u7684\u90ae\u7bb1<\/p>\n

3.\u5f00\u59cb\u90e8\u7f72
3.1\u90e8\u7f72cert-manager
\u672c\u6587\u76f4\u63a5\u4f7f\u7528kubectl\u5b89\u88c5\uff0c\u672a\u4f7f\u7528Helm.<\/p>\n

\n
kubectl apply -f https:\/\/github.com\/cert-manager\/cert-manager\/releases\/download\/v1.7.1\/cert-manager.yaml\n<\/pre>\n<\/div>\n
\u3000\u8fd0\u884c\u5982\u4e0b\u547d\u4ee4\u53ef\u770b\u5230\u521b\u5efa\u4e863\u4e2apod\uff0c\u5e76STATUS\u4e3a\uff1aRunning<\/p>\n
\n
kubectl get pods --namespace cert-manager\n<\/pre>\n<\/div>\n
\"\"<\/p>\n
 <\/p>\n
 <\/p>\n
3.2 \u914d\u7f6eClusterIssuer<\/p>\n
\u521b\u5efaclusterIssuer.yml,\u5185\u5bb9\u5982\u4e0b<\/p>\n
\n
apiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-prod\nspec:\n  acme:\n    email: \u3010\u6b64\u5904\u4fee\u6539\u4e3a\u4f60\u7684\u90ae\u7bb1\u3011\n    privateKeySecretRef:\n      name: letsencrypt-prod\n    server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n    solvers:\n      - http01:\n          ingress:\n            class: traefik\n<\/pre>\n<\/div>\n
\u5e94\u7528\u8be5\u914d\u7f6e<\/p>\n
\n
kubectl apply -f clusterIssuer.yml\n<\/pre>\n<\/div>\n
\u81f3\u6b64\uff0c\u57fa\u672c\u914d\u7f6e\u5df2\u5b8c\u6210\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u5efa\u7acb\u4e00\u4e2adeployment\uff0cservice,traefik\u8fdb\u884c\u6d4b\u8bd5<\/p>\n
4.\u6d4b\u8bd5
4.1\u521b\u5efanginx Deployment
\u521b\u5efa\u4e00\u4e2aDeployment\u8d44\u6e90,nginx.yml<\/p>\n
\n
apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: nginx-deployment\nspec:\n  selector:\n    matchLabels:\n      app: nginx\n  replicas: 2 # tells deployment to run 2 pods matching the template\n  template:\n    metadata:\n      labels:\n        app: nginx\n    spec:\n      containers:\n      - name: nginx\n        image: nginx:1.14.2\n        ports:\n        - containerPort: 80\n<\/pre>\n<\/div>\n
4.2\u521b\u5efaNginx Service
nginxservice.yml<\/p>\n
\n
apiVersion: v1\nkind: Service\nmetadata:\n  labels:\n    app: video-nginx\n  name: video-nginx\n  namespace: default\nspec:\n  ports:\n    - port: 8888\n      protocol: TCP\n      name: nginx\n      targetPort: 80\n  type: ClusterIP\n  selector:\n    app: nginx\n<\/pre>\n<\/div>\n
5.\u521b\u5efaIngress \uff08\u91cd\u70b9\uff09<\/span>
workingress.yml<\/p>\n
\n
apiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n  name: work<\/span>-ingress\n  namespace: <\/span>default<\/span>\n  annotations:\n    kubernetes.io<\/span>\/ingress.class<\/span>: traefik\n    cert<\/span>-manager.io\/cluster-issuer: letsencrypt-prod  # letsencrypt-<\/span>prod\u4e3aClusterIssuer\u540d\u79f0<\/span> \nspec:\n  tls:\n    <\/span>- secretName: test-tls # \u8bc1\u4e66\u540d\n      hosts:\n        <\/span>- your domain # \u57df\u540d\n  rules:\n    <\/span>- host: your domain # \u57df\u540d\n      http:\n        paths:\n          <\/span>- path: \/\n            pathType: ImplementationSpecific\n            backend:\n              service:\n                name: video<\/span>-nginx # \u670d\u52a1\u540d\n                port: \n                  number: <\/span>80 # \u670d\u52a1\u7684\u7aef\u53e3\u53f7 service port\uff0c\u975epod port<\/pre>\n<\/div>\n
 <\/p>\n
\u81f3\u6b64\uff0c\u6d4b\u8bd5\u7a0b\u5e8f\u5df2\u7ecf\u90e8\u7f72\u5b8c\u6210\uff0c\u63a5\u4e0b\u6765\uff0c\u5728\u6d4f\u89c8\u5668\u8f93\u5165https:\/\/\u4f60\u7684\u57df\u540d\uff0c\u5373\u53ef\u770b\u5230\u4f60\u7684\u7f51\u7ad9\u5df2\u7ecf\u4f7f\u7528HTTPS\u534f\u8bae\u4e86\u3002<\/p>\n
6.Http\u81ea\u52a8\u91cd\u5b9a\u5411\u5230Https<\/p>\n
6.1\u521b\u5efa\u4e00\u4e2aMiddleware<\/p>\n
\n
apiVersion: traefik.containo.us\/v1alpha1\nkind: Middleware\nmetadata:\nname: redirect-https\nspec:\n  redirectScheme:\n    scheme: https\n    permanent: true\n<\/pre>\n<\/div>\n
6.2\u5728Ingress\u4e2d\u6dfb\u52a0\u6ce8\u89e3traefik.ingress.kubernetes.io\/router.middlewares: default-redirect-https@kubernetescrd\u6ce8\u610fdefault\u662f\u547d\u540d\u7a7a\u95f4\uff0credirect-https\u4e3aMiddleware\u7684name<\/p>\n
\"\"<\/p>\n
 <\/p>\n
 <\/p>\n
\u514d\u8d39\u5728\u7ebf\u6d41\u7a0b\u56fe\u3001\u601d\u7ef4\u5bfc\u56fe\u3001\u4e13\u4e1a\u5f3a\u5927\u7684\u4f5c\u56fe\u5de5\u5177<\/a>\uff0c\u652f\u6301\u591a\u4eba\u5b9e\u65f6\u5728\u7ebf\u534f\u4f5c\uff0c\u53ef\u7528\u4e8e\u539f\u578b\u56fe\u3001UML\u3001BPMN\u3001\u7f51\u7edc\u62d3\u6251\u56fe\u7b49\u591a\u79cd\u56fe\u5f62\u7ed8\u5236 \u611f\u89c9\u771f\u4e0d\u9519\u63a8\u8350\u7ed9\u5927\u5bb6\uff01<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
1. \u7b80\u4ecb \u968f\u7740 HTTPS \u4e0d\u65ad\u666e\u53ca\uff0c\u8d8a\u6765\u8d8a\u591a\u7684\u7f51\u7ad9\u90fd\u5728\u4ece HTTP \u5347\u7ea7\u5230 HTTPS\uff0c\u4f7f\u7528 HTTPS  … \u7ee7\u7eed\u9605\u8bfb k3s+traefik+cert-manager+letsencrypt\u5b9e\u73b0web\u670d\u52a1\u5168https<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,28],"tags":[33,8,34,35,36,7,9,39,37,38],"_links":{"self":[{"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/posts\/819"}],"collection":[{"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/comments?post=819"}],"version-history":[{"count":1,"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/posts\/819\/revisions"}],"predecessor-version":[{"id":956,"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/posts\/819\/revisions\/956"}],"wp:attachment":[{"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/media?parent=819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/categories?post=819"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.langmanezhuang.com\/index.php\/wp-json\/wp\/v2\/tags?post=819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}