Difference between revisions of "Kubernetes Letsencrypt"
Jump to navigation
Jump to search
(Created page with "- https://github.com/jetstack/cert-manager - https://cert-manager.io/docs/ - https://cert-manager.io/docs/installation/kubernetes/") |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | - https://cert-manager.io/docs/tutorials/acme/ingress/ | ||
| + | |||
| + | https://projectcontour.io/guides/cert-manager/ | ||
| + | |||
| + | https://projectcontour.io/guides/cert-manager/ | ||
| + | - https://banzaicloud.com/blog/cert-management-on-kubernetes/ | ||
| + | |||
- https://github.com/jetstack/cert-manager | - https://github.com/jetstack/cert-manager | ||
- https://cert-manager.io/docs/ | - https://cert-manager.io/docs/ | ||
- https://cert-manager.io/docs/installation/kubernetes/ | - https://cert-manager.io/docs/installation/kubernetes/ | ||
| + | |||
| + | https://kubernetes.github.io/ingress-nginx/deploy/#digital-ocean | ||
| + | |||
| + | https://www.olivercoding.com/2021-01-07-kubernetes-dns-certificate/ | ||
| + | |||
| + | create service | ||
| + | ``` | ||
| + | kubectl apply -f https://k8s.io/examples/service/networking/example-ingress.yaml | ||
| + | ``` | ||
| + | |||
| + | Create self signed cert store in secrets | ||
| + | ``` | ||
| + | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com" | ||
| + | kubectl create secret tls test-tls --key="tls.key" --cert="tls.crt" | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | apiVersion: networking.k8s.io/v1 | ||
| + | kind: Ingress | ||
| + | metadata: | ||
| + | name: example-ingresstls | ||
| + | annotations: | ||
| + | nginx.ingress.kubernetes.io/rewrite-target: /$1 | ||
| + | spec: | ||
| + | tls: | ||
| + | - hosts: | ||
| + | - tls.uvoo.io | ||
| + | secretName: test-tls | ||
| + | rules: | ||
| + | - host: tls.uvoo.io | ||
| + | http: | ||
| + | paths: | ||
| + | - path: / | ||
| + | pathType: Prefix | ||
| + | backend: | ||
| + | service: | ||
| + | name: web | ||
| + | port: | ||
| + | number: 8080 | ||
| + | ``` | ||
| + | |||
| + | Let's use letsencrypt | ||
| + | ``` | ||
| + | apiVersion: networking.k8s.io/v1 | ||
| + | kind: Ingress | ||
| + | metadata: | ||
| + | name: example-ingresstls2 | ||
| + | annotations: | ||
| + | nginx.ingress.kubernetes.io/rewrite-target: /$1 | ||
| + | cert-manager.io/cluster-issuer: "letsencrypt-prod" # use staging for self signed fake | ||
| + | spec: | ||
| + | tls: | ||
| + | - hosts: | ||
| + | - tls2.uvoo.io | ||
| + | secretName: tls2-tls | ||
| + | rules: | ||
| + | - host: tls2.uvoo.io | ||
| + | http: | ||
| + | paths: | ||
| + | - path: / | ||
| + | pathType: Prefix | ||
| + | backend: | ||
| + | service: | ||
| + | name: web | ||
| + | port: | ||
| + | number: 8080 | ||
| + | ``` | ||
| + | |||
| + | kubectl get certificate | ||
| + | kubectl describe certificate tls2-tls | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ``` | ||
| + | apiVersion: certmanager.k8s.io/v1alpha1 | ||
| + | kind: Certificate | ||
| + | metadata: | ||
| + | name: api-mydomain-de | ||
| + | namespace: istio-system | ||
| + | spec: | ||
| + | secretName: api-mydomain-de-tls | ||
| + | renewBefore: 360h # 15d | ||
| + | commonName: api.mydomain.de | ||
| + | dnsNames: | ||
| + | - api.mydomain.de | ||
| + | issuerRef: | ||
| + | name: letsencrypt-staging | ||
| + | kind: ClusterIssuer | ||
| + | And my 'Gateway' config: | ||
| + | |||
| + | apiVersion: networking.istio.io/v1alpha3 | ||
| + | kind: Gateway | ||
| + | metadata: | ||
| + | name: api-gateway-gw | ||
| + | namespace: istio-system | ||
| + | spec: | ||
| + | selector: | ||
| + | istio: ingressgateway | ||
| + | servers: | ||
| + | - port: | ||
| + | number: 80 | ||
| + | name: http | ||
| + | protocol: HTTP | ||
| + | tls: | ||
| + | httpsRedirect: true # sends 301 redirect for http requests | ||
| + | hosts: | ||
| + | - api.mydomain.de | ||
| + | - port: | ||
| + | number: 443 | ||
| + | name: https | ||
| + | protocol: HTTPS | ||
| + | tls: | ||
| + | mode: SIMPLE | ||
| + | serverCertificate: /etc/istio/ingressgateway-certs/tls.crt | ||
| + | privateKey: /etc/istio/ingressgateway-certs/tls.key | ||
| + | hosts: | ||
| + | - api.mydomain.de | ||
| + | ``` | ||
Latest revision as of 14:56, 14 February 2021
https://projectcontour.io/guides/cert-manager/
https://projectcontour.io/guides/cert-manager/ - https://banzaicloud.com/blog/cert-management-on-kubernetes/
- https://github.com/jetstack/cert-manager
- https://cert-manager.io/docs/
- https://cert-manager.io/docs/installation/kubernetes/
https://kubernetes.github.io/ingress-nginx/deploy/#digital-ocean
https://www.olivercoding.com/2021-01-07-kubernetes-dns-certificate/
create service
kubectl apply -f https://k8s.io/examples/service/networking/example-ingress.yaml
Create self signed cert store in secrets
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com" kubectl create secret tls test-tls --key="tls.key" --cert="tls.crt"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingresstls
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
tls:
- hosts:
- tls.uvoo.io
secretName: test-tls
rules:
- host: tls.uvoo.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
Let's use letsencrypt
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingresstls2
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod" # use staging for self signed fake
spec:
tls:
- hosts:
- tls2.uvoo.io
secretName: tls2-tls
rules:
- host: tls2.uvoo.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
kubectl get certificate kubectl describe certificate tls2-tls
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: api-mydomain-de
namespace: istio-system
spec:
secretName: api-mydomain-de-tls
renewBefore: 360h # 15d
commonName: api.mydomain.de
dnsNames:
- api.mydomain.de
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
And my 'Gateway' config:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-gateway-gw
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true # sends 301 redirect for http requests
hosts:
- api.mydomain.de
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- api.mydomain.de