1. 自签名证书

1.1. 创建 CA 证书 Issuer

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: self-signed-issuer
  namespace: cert-manager
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: self-signed-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

1.2. 创建 CA 证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: self-signed-ca
  namespace: cert-manager
spec:
  secretName: self-signed-ca
  duration: 876000h # 100 year
  issuerRef:
    name: self-signed-issuer
  commonName: "Self CA Certificate"
  isCA: true

1.3. 创建证书 Issuer

1
2
3
4
5
6
7
8

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: self-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: self-signed-ca

1.4. 签发证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-d7z-net
  namespace: cert-manager
spec:
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
  secretName: tls-pub-d7z
  duration: 8760h # 1y
  issuerRef:
    name: self-issuer
  commonName: "Self CA Certificate"
  dnsNames:
    - 'd7z.net'
    - '*.d7z.net' # 通用公开地址
    - '*.pages.d7z.net' # gitlab pages 相关地址
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-internal-d7z-net
  namespace: cert-manager
spec:
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
  secretName: tls-pri-d7z
  duration: 8760h # 1y
  issuerRef:
    name: self-issuer
  commonName: "Self CA Certificate"
  dnsNames:
    - 'internal.d7z.net'
    - '*.internal.d7z.net' # 通用私有地址

代码双击可复制 | 最后编辑于 2022-09-02 16:18:33 UTC+8 | 查看源码 | #c5dfe6