在使用 Let's Encrypt 之前需要申请一个域名,比如可以到 GoDaddy、Name 等网站购买。具体步骤这里不再细说,可以参考网络教程操作。
直接使用 Helm 部署即可:
helm install stable/nginx-ingress --name nginx-ingress --set rbac.create=true --namespace=kube-system
部署成功后,查询 Ingress 服务的公网 IP 地址(下文中假设该 IP 是 6.6.6.6
):
$ kubectl -n kube-system get service nginx-ingress-controllerNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEnginx-ingress-controller LoadBalancer 10.0.216.124 6.6.6.6 80:31935/TCP,443:31797/TCP 4d
然后到域名注册服务商网站中,创建 A 记录,将需要的域名解析到 6.6.6.6
。
# Install cert-managerhelm install --namespace=kube-system --name cert-manager stable/cert-manager --set ingressShim.defaultIssuerName=letsencrypt --set ingressShim.defaultIssuerKind=ClusterIssuer# create cluster issuerkubectl apply -f https://raw.githubusercontent.com/feiskyer/kubernetes-handbook/master/manifests/ingress-nginx/cert-manager/cluster-issuer.yaml
首先,创建一个 Secret,用于登录认证:
$ htpasswd -c auth foo$ kubectl -n kube-system create secret generic basic-auth --from-file=auth
为 nginx 服务(端口 80)创建 TLS Ingress,并且自动将 http://echo-tls.example.com
重定向到 https://echo-tls.example.com
:
cat <<EOF | kubectl create -f-apiVersion: extensions/v1beta1kind: Ingressmetadata:name: webnamespace: defaultannotations:kubernetes.io/tls-acme: "true"kubernetes.io/ingress.class: "nginx"ingress.kubernetes.io/ssl-redirect: "true"certmanager.k8s.io/cluster-issuer: letsencryptnginx.ingress.kubernetes.io/rewrite-target: /spec:tls:- hosts:- echo-tls.example.comsecretName: web-tlsrules:- host: echo-tls.example.comhttp:paths:- path: /backend:serviceName: nginxservicePort: 80EOF
为 Kubernetes Dashboard 服务(端口443)创建 TLS Ingress,并且禁止该域名的 HTTP 访问:
apiVersion: extensions/v1beta1kind: Ingressmetadata:annotations:kubernetes.io/ingress.class: nginxkubernetes.io/tls-acme: "true"kubernetes.io/ingress.allow-http: "false"nginx.ingress.kubernetes.io/auth-realm: Authentication Requirednginx.ingress.kubernetes.io/auth-secret: basic-authnginx.ingress.kubernetes.io/auth-type: basicnginx.ingress.kubernetes.io/secure-backends: "true"certmanager.k8s.io/cluster-issuer: letsencryptname: dashboardnamespace: kube-systemspec:tls:- hosts:- dashboard.example.comsecretName: dashboard-ingress-tlsrules:- host: dashboard.example.comhttp:paths:- path: /backend:serviceName: kubernetes-dashboardservicePort: 443