Difference between revisions of "Microk8s Cert-manager"
Jump to navigation
Jump to search
(Created page with "https://www.reddit.com/r/kubernetes/comments/g3z5sp/microk8s_with_certmanager_and_letsecncrypt/ https://www.madalin.me/wpk8s/2021/050/microk8s-letsencrypt-cert-manager-https....") |
|||
| Line 1: | Line 1: | ||
https://www.reddit.com/r/kubernetes/comments/g3z5sp/microk8s_with_certmanager_and_letsecncrypt/ | https://www.reddit.com/r/kubernetes/comments/g3z5sp/microk8s_with_certmanager_and_letsecncrypt/ | ||
| + | ``` | ||
| + | Yes, I got it working today. | ||
| + | |||
| + | Prerequisites: your microk8s cluster MUST be accessible from Internet on port 80 and 443 via domains you need to get certificates for. If you're running microk8s on you home computer it means that you have to set up port forwarding on your home router and domains must resolve to its external IP address. | ||
| + | |||
| + | Enable required addons: ingress is required to perform http01 challenges | ||
| + | |||
| + | microk8s enable helm3 ingress | ||
| + | Install cert-manager and specify Let's Encrypt issuer (will be created later) as default for Ingress resources: | ||
| + | |||
| + | microk8s kubectl create namespace cert-manager | ||
| + | microk8s helm3 repo add jetstack https://charts.jetstack.io | ||
| + | microk8s helm3 repo update | ||
| + | microk8s helm3 install cert-manager jetstack/cert-manager \ | ||
| + | --namespace cert-manager --version v0.15.2 \ | ||
| + | --set installCRDs=true \ | ||
| + | --set ingressShim.defaultIssuerName=letsencrypt-production \ | ||
| + | --set ingressShim.defaultIssuerKind=ClusterIssuer \ | ||
| + | --set ingressShim.defaultIssuerGroup=cert-manager.io | ||
| + | Create production Let's Encrypt issuer (don't forget to change email to yours): | ||
| + | |||
| + | microk8s kubectl apply -f - <<YAML | ||
| + | apiVersion: cert-manager.io/v1alpha2 | ||
| + | kind: ClusterIssuer | ||
| + | metadata: | ||
| + | name: letsencrypt-production | ||
| + | spec: | ||
| + | acme: | ||
| + | email: CHANGE-ME@example.com | ||
| + | server: https://acme-v02.api.letsencrypt.org/directory | ||
| + | privateKeySecretRef: | ||
| + | name: letsencrypt-production-issuer-account-key | ||
| + | solvers: | ||
| + | - selector: {} | ||
| + | http01: | ||
| + | ingress: | ||
| + | class: nginx | ||
| + | YAML | ||
| + | AND THAT'S IT! | ||
| + | |||
| + | Now all you need is to specify kubernetes.io/tls-acme: "true" annotation and domain names in tls section of ingress. Like this: | ||
| + | |||
| + | --- | ||
| + | apiVersion: extensions/v1beta1 | ||
| + | kind: Ingress | ||
| + | metadata: | ||
| + | name: example-ingress | ||
| + | annotations: | ||
| + | kubernetes.io/tls-acme: "true" | ||
| + | spec: | ||
| + | tls: | ||
| + | - hosts: | ||
| + | - "example.com" | ||
| + | secretName: "example-com-tls-acme" | ||
| + | rules: | ||
| + | - host: "example.com" | ||
| + | http: | ||
| + | paths: | ||
| + | - path: / | ||
| + | backend: | ||
| + | serviceName: "example-com" | ||
| + | servicePort: 80 | ||
| + | cert-manager will automatically issue certificate and place it into secret named in Ingress. Tested today with microk8s 1.18.4 and cert-manager 0.15.2 | ||
| + | ``` | ||
https://www.madalin.me/wpk8s/2021/050/microk8s-letsencrypt-cert-manager-https.html | https://www.madalin.me/wpk8s/2021/050/microk8s-letsencrypt-cert-manager-https.html | ||
Revision as of 12:47, 23 August 2021
https://www.reddit.com/r/kubernetes/comments/g3z5sp/microk8s_with_certmanager_and_letsecncrypt/
Yes, I got it working today.
Prerequisites: your microk8s cluster MUST be accessible from Internet on port 80 and 443 via domains you need to get certificates for. If you're running microk8s on you home computer it means that you have to set up port forwarding on your home router and domains must resolve to its external IP address.
Enable required addons: ingress is required to perform http01 challenges
microk8s enable helm3 ingress
Install cert-manager and specify Let's Encrypt issuer (will be created later) as default for Ingress resources:
microk8s kubectl create namespace cert-manager
microk8s helm3 repo add jetstack https://charts.jetstack.io
microk8s helm3 repo update
microk8s helm3 install cert-manager jetstack/cert-manager \
--namespace cert-manager --version v0.15.2 \
--set installCRDs=true \
--set ingressShim.defaultIssuerName=letsencrypt-production \
--set ingressShim.defaultIssuerKind=ClusterIssuer \
--set ingressShim.defaultIssuerGroup=cert-manager.io
Create production Let's Encrypt issuer (don't forget to change email to yours):
microk8s kubectl apply -f - <<YAML
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
email: CHANGE-ME@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-production-issuer-account-key
solvers:
- selector: {}
http01:
ingress:
class: nginx
YAML
AND THAT'S IT!
Now all you need is to specify kubernetes.io/tls-acme: "true" annotation and domain names in tls section of ingress. Like this:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/tls-acme: "true"
spec:
tls:
- hosts:
- "example.com"
secretName: "example-com-tls-acme"
rules:
- host: "example.com"
http:
paths:
- path: /
backend:
serviceName: "example-com"
servicePort: 80
cert-manager will automatically issue certificate and place it into secret named in Ingress. Tested today with microk8s 1.18.4 and cert-manager 0.15.2
https://www.madalin.me/wpk8s/2021/050/microk8s-letsencrypt-cert-manager-https.html