使用 cert-manager 为 traefik 自动申请和续约 https 证书

使用 cert-manager 为 traefik 自动申请和续约 https 证书

安装 traefik, cert-manager 无法pull image？

可以考虑使用 docker run -d -P m.daocloud.io/docker.io/library/nginx 类似的办法，完成镜像加速下载。
同时，注意 cert-manager yaml args: 部分，有指定 --acme-http01-solver-image=acmesolver:v1.16.2指令中：

repository: quay.io/jetstack/cert-manager-acmesolver 必须替换为可以访问到的镜像地址。

traefik文档地址

• traefik 本身是支持 https 证书申请的（https://doc.traefik.io/traefik/https/acme/)
  • traefik oss 版本不支持集群配置 acme

步骤

• 正确安装 cert-manager
  • cert-manager安装指南
• 正确安装和配置 Traefik
  • 然后就可以在 Ingress / IngressRoute / HTTPRoute 中引用正常生成的 tls-secret.

关键注意点

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: clusterissuer-letencrypt-to-ingress
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: xxx@dddd.com # do-not-use default email
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: clusterissuer-letsencrypt-secret
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik

在 certificate 中引用 clusterissuer

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: headers-demo01
  namespace: default
spec:
  secretName: tls-demo01        # <===  Name of secret where the generated certificate will be stored.
  dnsNames:
    - "demo01.mydomain.tv"
  issuerRef:
    name: clusterissuer-letencrypt-to-ingress
    kind: ClusterIssuer

进而，就可以在 ingressroute 中使用 tls-demo01了。

apiVersion: traefik.io/v1alpha1  # supported from traefik v3
kind: IngressRoute
metadata:
  name: demo01.mydomain.tv
  namespace: default

spec:
  entryPoints:
    - websecure
    # - web
  tls:
    secretName: tls-demo06
  routes:
    - kind: Rule
      match: Host(`demo01.mydomain.tv`)
      services:
        - kind: Service
          name: some-service
          passHostHeader: true
          port: 80

• 需要正确配置 issuer (不可以使用 acme-staging)，否则，会导致 traefik 不加载此 tls-secret.
• 需要注意合理的 namespace 否则会导致引用失败。

失败情况下的定位

几条非常有用的指令：

 kubectl get certificate
NAME             READY   SECRET       AGE
headers-demo06   True    tls-demo06   11m

kubectl describe certificate headers-demo06

output

  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    11m   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  11m   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "headers-demo06-dqxth"
  Normal  Requested  11m   cert-manager-certificates-request-manager  Created new CertificateRequest resource "headers-demo06-1"
  Normal  Issuing    11m   cert-manager-certificates-issuing          The certificate has been successfully issued