nginxingress letsencrypt

By studyk8s 0 Comments

Here I use kubernetes + an independent domain name of my own. It runs in AWS environment. The IP of EC2 host is 54.95.179.97

Except that cert manager is installed in the system namespace, all resources (deployment, service, ingress, issuer, Cert) are installed in the study namespace

It should be noted that the namespace needs to be created in advance

install cert-manager

kubectl create namespace cattle-system
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.0.4
cert manager provides two user-defined resource objects, issuer and clusterissuer, for creating issuing authorities,
Issuers can only be used to issue certificates in their own namespace
Clusterissuer can issue certificates in any namespace

Create issuer
lizhedeMacBook-Pro:lz_study lizhe$ cat issuer.yaml 
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: study
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: marshal_li_b@163.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}
lizhedeMacBook-Pro:lz_study lizhe$
  • metadata. Name is the name of the issuing authority we created, which will be referenced later when we create the certificate
  • spec.acme. Email is your own email. There will be an email reminder when the certificate is about to expire, but cert manager will automatically reissue the certificate to us for renewal by using acme protocol
  • spec.acme. Server is the server of acme protocol. Let’s use let’s encrypt here, and the address will be written like this
  • spec.acme. Privatekeysecretref indicates which secret object this issuing authority’s private key will be stored in. The name is not important
  • spec.acme. Http01 here instructs the issuing authority to use http-01 for acme protocol (DNS can also be used. The purpose of acme protocol is to prove that the machine and domain name belong to you, and then allow you to issue certificates)

Create certificate

It should be noted that the namespace needs to be created in advance

lizhedeMacBook-Pro:lz_study lizhe$ cat cert.yaml 
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: study-pactera-deg-com
  namespace: study
spec:
  secretName: best-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - www.bestofgit.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - www.bestofgit.com
lizhedeMacBook-Pro:lz_study lizhe$

 

  • Spec.secretname indicates the secret in which the certificate is finally saved
  • spec.issuerRef. The kind value is clusterissuer, indicating that the issuing authority is not in this namespace, but in the global
  • spec.issuerRef. Name the name of the issuing authority we created (clusterissuer. Metadata. Name)
  • Spec.dnsnames indicates which domain names the certificate can be used for
  • spec.acme. config. http01. When the ingress class uses http-01 to verify the domain name and machine, cert manager will try to create an ingress object to realize the verification. If this value is specified, kubernets will be added to the created ingress io/ingress. Class this annotation. If our ingress controller is nginx ingress controller, specify this field to allow the created ingress to be processed by nginx ingress controller.
  • spec.acme. config. http01. Domains indicates which domain names the certificate can be used for

Then install nginx

deployment

lizhedeMacBook-Pro:lz_study lizhe$ cat nginx.yaml 
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: study
spec:
  replicas: 2 # tells deployment to run 2 pods matching the template
  template: # create pods using pod definition in this template
    metadata:
      # unlike pod-nginx.yaml, the name is not included in the meta data as a unique name is
      # generated from the deployment name
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80
lizhedeMacBook-Pro:lz_study lizhe$

svc.yaml

lizhedeMacBook-Pro:lz_study lizhe$ cat svc.yaml 
apiVersion: v1
kind: Service
metadata: 
  name: nginx-service
  namespace: study
spec:
  type: ClusterIP
  ports:
    - port: 80
  selector: 
      app: nginx
lizhedeMacBook-Pro:lz_study lizhe$

ingress.yaml

lizhedeMacBook-Pro:lz_study lizhe$ cat ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-nginx-ingress
  namespace: study
  annotations:
    kubernetes.io/ingress.class: "nginx"
    certmanager.k8s.io/issuer: "letsencrypt-prod"
    certmanager.k8s.io/acme-challenge-type: http01
spec:
  rules:
  - host: www.bestofgit.com
    http:
      paths:
      - backend:
          serviceName: nginx-service
          servicePort: 80
  tls:
  - hosts:
    - www.bestofgit.com
    secretName: best-tls
lizhedeMacBook-Pro:lz_study lizhe$

Related Posts:
Previous Post

kubernetes ingress
Next Post

nginx ingress https backend

Send a Message