本教程教大家如何在Kubernetes集群中使用Cert Manager集成Letsencrypt SSL证书到Istio gateway中。
环境准备
- Kubernetes集群
- istio
- helm工具
安装Cert Manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.8.0 --set installCRDs=true
创建Issuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod-cluster
namespace: istio-system
spec:
acme:
email: xxx@xxx.com # 换成自己的邮箱, let's encrypt会在证书过期前发送邮件通知
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod-cluster
solvers:
- http01:
ingress:
class: istio
EOF
创建Certificates
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-cert
namespace: istio-system
spec:
secretName: my-domain-cert
duration: 2160h
renewBefore: 360h
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- "xxxxxx.com" # 换成自己的域名
issuerRef:
name: letsencrypt-prod-cluster
kind: ClusterIssuer
group: cert-manager.io
EOF
创建Istio Gateway
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: my-domain-cert
hosts:
- "xxxxxx.com" # 换成自己的域名
EOF
创建Istio VirtualService
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-virtualservice
spec:
hosts:
- "xxxxxx.com" # 换成自己的域名
gateways:
- istio-system/my-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: my-service
port:
number: 8080
EOF
好了,到此你就可以使用更安全的https访问你的服务了,最重要的是它是免费了,而且不需要手动更新证书。
