部署证书
定期证书申请 (仅供参考)
/root/.acme.sh/acme.sh --issue --force --dns dns_ali -d 'jansora.com' -d '*.jansora.com' -d '*.kubernetes.jansora.com' -d '*.fabric.jansora.com' -d '*.transfer.jansora.com'
# 拷贝到 master 节点
cp -r ~/.acme.sh/jansora.com_ecc/fullchain.cer /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.crt
cp -r ~/.acme.sh/jansora.com_ecc/jansora.com.key /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.key
rsync -avzr -e 'ssh' /etc/openresty/certs root@kubernetes.jansora.com:/etc/openresty/
## 刷新证书 (初次首建)
ssh -o StrictHostKeyChecking=no -p 22 kubernetes.jansora.com '
kubectl create secret tls wildcard.jansora.com \
--key /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.key \
--cert /etc/openresty/certs/lets-encrypt-jansora.com/jansora.com.crt \
--namespace default \
--dry-run=client -o yaml | kubectl apply -f -
'
配置参考
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
spec:
ingressClassName: nginx
tls:
- hosts:
- demo.kubernetes.jansora.com
secretName: wildcard.jansora.com
rules:
- host: demo.kubernetes.jansora.com
http:
paths:
- backend:
service:
name: demo-service
port:
number: 8080
pathType: Prefix
path: /