Пример заказа сертификата | An example of provisioning a certificate |
yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com # Имя сертификата, через него потом можно смотреть статус. namespace: default spec: secretName: example-com-tls # Название Secret’а, в который положить приватный ключ и сертификат. issuerRef: kind: ClusterIssuer # Ссылка на “выдаватель” сертификатов, см. подробнее ниже. name: letsencrypt commonName: example.com # Основной домен сертификата. dnsNames: # Дополнительные домены сертификата (как минимум одно DNS-имя или IP-адрес должны быть указаны).
| yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com # the name of the certificate; you can use it to view the cert’s status namespace: default spec: secretName: example-com-tls # the name of the secret to store a private key and a certificate issuerRef: kind: ClusterIssuer # the link to the certificate “issuer”, see more below name: letsencrypt commonName: example.com # the main certificate domain dnsNames: # additional domains (At least one DNS Name or IP address is required)
|
При этом:
| Here:
|
Подробнее можно прочитать в документации cert-manager. | Read more in the cert-manager documentation. |
Заказ wildcard-сертификата с DNS в Cloudflare | Issuing a DNS wildcard certificate using Cloudflare |
|
|
В результате этого мы получаем ключ для взаимодействия с API Cloudflare и почту, на которую зарегистрирован аккаунт. | You will see the key for interacting with the Cloudflare API (as well as the account email). |
|
|
yaml settings: cloudflareGlobalAPIKey: APIkey cloudflareEmail: some@mail.somedomain | yaml settings: cloudflareGlobalAPIKey: APIkey cloudflareEmail: some@mail.somedomain |
или | or |
yaml settings: cloudflareAPIToken: some-token cloudflareEmail: some@mail.somedomain | yaml settings: cloudflareAPIToken: some-token cloudflareEmail: some@mail.somedomain |
После этого Deckhouse автоматически создаст ClusterIssuer и Secret для Cloudflare в namespace | After that, Deckhouse will automatically create ClusterIssuer and Secret for Cloudflare in the |
|
|
|
|
yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-wildcard namespace: app-namespace spec: secretName: tls-wildcard issuerRef: name: cloudflare kind: ClusterIssuer commonName: “*.domain.com” dnsNames:
| yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-wildcard namespace: app-namespace spec: secretName: tls-wildcard issuerRef: name: cloudflare kind: ClusterIssuer commonName: “*.domain.com” dnsNames:
|
|
|
yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: domain-wildcard namespace: app-namespace spec: ingressClassName: nginx rules:
| yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: domain-wildcard namespace: app-namespace spec: ingressClassName: nginx rules:
|
Заказ wildcard-сертификата с DNS в Route53 | Issuing a DNS wildcard certificate using Route53 |
|
|
|
|
json { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: “route53:GetChange”, “Resource”: “arn:aws:route53:::change/” }, { “Effect”: “Allow”, “Action”: “route53:ChangeResourceRecordSets”, “Resource”: “arn:aws:route53:::hostedzone/” }, { “Effect”: “Allow”, “Action”: “route53:ListHostedZonesByName”, “Resource”: “*” } ] } | json { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: “route53:GetChange”, “Resource”: “arn:aws:route53:::change/” }, { “Effect”: “Allow”, “Action”: “route53:ChangeResourceRecordSets”, “Resource”: “arn:aws:route53:::hostedzone/” }, { “Effect”: “Allow”, “Action”: “route53:ListHostedZonesByName”, “Resource”: “*” } ] } |
|
|
|
|
yaml settings: route53AccessKeyID: AKIABROTAITAJMPASA4A route53SecretAccessKey: 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 | yaml settings: route53AccessKeyID: AKIABROTAITAJMPASA4A route53SecretAccessKey: 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 |
После этого Deckhouse автоматически создаст ClusterIssuer и Secret для route53 в namespace | After that, Deckhouse will automatically create ClusterIssuer and Secret for route53 in the |
|
|
yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-wildcard namespace: app-namespace spec: secretName: tls-wildcard issuerRef: name: route53 kind: ClusterIssuer commonName: “*.domain.com” dnsNames:
| yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-wildcard namespace: app-namespace spec: secretName: tls-wildcard issuerRef: name: route53 kind: ClusterIssuer commonName: “*.domain.com” dnsNames:
|
Заказ wildcard-сертификата с DNS в Google | Issuing a DNS wildcard certificate using Google |
|
|
|
|
shell base64 project-209317-556c656b81c4.json | shell base64 project-209317-556c656b81c4.json |
|
|
После этого Deckhouse автоматически создаст ClusterIssuer и Secret для cloudDNS в namespace | After that, Deckhouse will automatically create ClusterIssuer and Secret for cloudDNS in the |
|
|
yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-wildcard namespace: app-namespace spec: secretName: tls-wildcard issuerRef: name: clouddns kind: ClusterIssuer dnsNames:
| yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-wildcard namespace: app-namespace spec: secretName: tls-wildcard issuerRef: name: clouddns kind: ClusterIssuer dnsNames:
|
Заказ self-signed-сертификата | Issuing a self-signed certificate |
Все еще проще, чем с LetsEncrypt. Просто меняем | In this case, the entire process is even more straightforward than that of LetsEncrypt. Simply replace the issuer name ( |
yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com # Имя сертификата, через него потом можно смотреть статус. namespace: default spec: secretName: example-com-tls # Название Secret’а, в который положить приватный ключ и сертификат. issuerRef: kind: ClusterIssuer # Ссылка на “выдаватель” сертификатов, см. подробнее ниже. name: selfsigned commonName: example.com # Основной домен сертификата. dnsNames: # Дополнительные домены сертификата, указывать необязательно.
| yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com # the name of the certificate; you can use it to view the cert’s status namespace: default spec: secretName: example-com-tls # the name of the secret to store a private key and a certificate issuerRef: kind: ClusterIssuer # the link to the certificate “issuer”, see more below name: selfsigned commonName: example.com # the main certificate domain dnsNames: # additional certificate domains (optional)
|