Kubernetes Letsencrypt

From UVOO Tech Wiki
Revision as of 23:15, 13 February 2021 by Busk (talk | contribs)
Jump to navigation Jump to search

https://kubernetes.github.io/ingress-nginx/deploy/#digital-ocean

https://www.olivercoding.com/2021-01-07-kubernetes-dns-certificate/

create service 

kubectl apply -f https://k8s.io/examples/service/networking/example-ingress.yaml

Create self signed cert store in secrets 

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com"
kubectl create secret tls test-tls --key="tls.key" --cert="tls.crt"

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingresstls
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  tls:
  - hosts:
      - tls.uvoo.io
    secretName: test-tls
  rules:
    - host: tls.uvoo.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080

Let's use letsencrypt 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingresstls2
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # use staging for self signed fake
spec:
  tls:
  - hosts:
      - tls2.uvoo.io
    secretName: tls2-tls
  rules:
    - host: tls2.uvoo.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080

kubectl get certificate kubectl describe certificate tls2-tls 

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: api-mydomain-de
  namespace: istio-system
spec:
  secretName: api-mydomain-de-tls
  renewBefore: 360h # 15d
  commonName: api.mydomain.de
  dnsNames:
  - api.mydomain.de
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
And my 'Gateway' config:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway-gw
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
    hosts:
    - api.mydomain.de
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - api.mydomain.de
Retrieved from "https://tech.uvoo.io/index.php?title=Kubernetes_Letsencrypt&oldid=1231"