Difference between revisions of "Kubernetes Letsencrypt"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 
- https://cert-manager.io/docs/tutorials/acme/ingress/
 
- https://cert-manager.io/docs/tutorials/acme/ingress/
 +
 +
- https://banzaicloud.com/blog/cert-management-on-kubernetes/
  
 
- https://github.com/jetstack/cert-manager
 
- https://github.com/jetstack/cert-manager

Revision as of 00:44, 14 February 2021

https://kubernetes.github.io/ingress-nginx/deploy/#digital-ocean

https://www.olivercoding.com/2021-01-07-kubernetes-dns-certificate/

create service

kubectl apply -f https://k8s.io/examples/service/networking/example-ingress.yaml

Create self signed cert store in secrets

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com"
kubectl create secret tls test-tls --key="tls.key" --cert="tls.crt"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingresstls
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  tls:
  - hosts:
      - tls.uvoo.io
    secretName: test-tls
  rules:
    - host: tls.uvoo.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080

Let's use letsencrypt

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingresstls2
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # use staging for self signed fake
spec:
  tls:
  - hosts:
      - tls2.uvoo.io
    secretName: tls2-tls
  rules:
    - host: tls2.uvoo.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080

kubectl get certificate kubectl describe certificate tls2-tls

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: api-mydomain-de
  namespace: istio-system
spec:
  secretName: api-mydomain-de-tls
  renewBefore: 360h # 15d
  commonName: api.mydomain.de
  dnsNames:
  - api.mydomain.de
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
And my 'Gateway' config:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway-gw
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
    hosts:
    - api.mydomain.de
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - api.mydomain.de