[英]How to setup letsencrypt on kubernetes on azure?
I am learning kube.netes and trying to setup letsencrypt for my web app.我正在学习 kube.netes 并尝试为我的 web 应用设置 letsencrypt。
I have bought a domain from amazon route 53. Lets just called it example.com
我从 amazon route 53 买了一个域名。我们就叫它
example.com
Then I go and create a cluster in azure, install all applications that needed:然后我 go 并在 azure 创建一个集群,安装所有需要的应用程序:
choco install kube.netes-helm
choco install kube.netes-helm
helm repo add ingress-nginx https://kube.netes.github.io/ingress-nginx
helm repo update
deployment.yml
filedeployment.yml
文件apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp1-deployment
spec:
replicas: 3
selector:
matchLabels:
app: myapp1
template:
metadata:
name: myapp1-pod
labels: # Dictionary
app: myapp1
spec:
containers: # List
- name: myapp1-container
image: stacksimplify/kubenginx:1.0.0
ports:
- containerPort: 80
service.yml
service.yml
apiVersion: v1
kind: Service
metadata:
name: myapp1-loadbalancer
labels:
app: myapp1
spec:
selector:
app: myapp1
ports:
- port: 80
targetPort: 80
ingress.yml
ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress-demo
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: cluster-issuer-name
cert-manager.io/acme-challenge-type: http01
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: "example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp1-loadbalancer
port:
number: 80
tls:
- hosts:
- example.com
secretName: secret-name
In Azure portal, look for public Ip that is associated with the cluster that you created at the beginning.在 Azure 门户中,查找与您在开始时创建的集群关联的公共 Ip。 By default, when an k8 cluster is created, azure will create one public ip associated to this cluster.
默认情况下,当创建一个k8集群时,azure会创建一个public ip关联到这个集群。 Look for it, go to front end configuration, and take note of the ip.
找找,go到前端配置,记下ip。
Run this command below, replace the ip that you have在下面运行此命令,替换您拥有的 ip
# Use Helm to deploy an NGINX ingress controller
helm install ingress-nginx ingress-nginx/ingress-nginx
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.service.externalTrafficPolicy=Local \
--set controller.service.loadBalancerIP="YOUR IP"
9. If done correctly, you should have load balancer service running now. Verify it with kubernetes: `kubectl get svc`. Take note of this ip address for the load balancer
Go to Amazon route 53 dashboard, add a record with the ip address that you have at step 9 for your domain name that you have in ingress.yml
Go 到 Amazon route 53 仪表板,为您在 ingress.yml 中的域名添加一条记录,其中包含您在第 9 步中拥有的
ingress.yml
地址
Enjoy your work:)好好工作:)
Thank you谢谢
I have update my questions with steps on how to product the result.我已经用如何生成结果的步骤更新了我的问题。 Thanks SOF for awesome support.
感谢 SOF 的大力支持。 Hopefully that if someone run into this issue again, they know how to configure it properly.
希望如果有人再次遇到这个问题,他们知道如何正确配置它。
You are missing few minor things which you might need to do and try updating once again.您可能遗漏了一些您可能需要做的小事情并再次尝试更新。
URL in cluster issue is not for Prod you are using staging, i would recommend using the prod URL only for any case instead of the staging.集群问题中的 URL 不适用于您正在使用暂存的 Prod,我建议仅在任何情况下使用 prod URL 而不是暂存。
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: abc@abc.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
Use: https://acme-v02.api.letsencrypt.org/directory使用: https://acme-v02.api.letsencrypt.org/directory
Second :第二:
You have not attached your secret to ingress which ideally will be storing your TLS cert.您还没有将您的秘密附加到入口,理想情况下它将存储您的 TLS 证书。
How process work is like,流程如何运作,
cert-manager get the certificate and store it inside the kube.netes secret, in your case it will be, letsencrypt-staging you have mentioned in clusterissuer . cert-manager 获取证书并将其存储在 kube.netes 秘密中,在您的情况下,它是您在clusterissuer中提到的letsencrypt-staging 。
This secret also should be attached to ingress so that when anyone hits endpoint ingress use this cert for HTTPS traffic.这个秘密也应该附加到入口,这样当任何人访问端点入口时,使用这个证书来处理HTTPS流量。
Full reference example:完整参考示例:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
in above example i have used the annotatino in ingress: cert-manager.io/cluster-issuer: cluster-issuer-name
在上面的示例中,我在入口中使用了 annotatino:
cert-manager.io/cluster-issuer: cluster-issuer-name
it will trigger clusterissuer to generate cert whenever ingress is created, once cert is created it will be stored in K8s secret.每当创建入口时,它都会触发clusterissuer生成证书,一旦创建证书,它将存储在 K8s secret 中。 so to attach SSL/TLS cert secret with ingress i have added TLS block at last of ingress YAML.
因此,为了将 SSL/TLS 证书机密附加到入口,我在入口 YAML 的最后添加了TLS块。
If you are applying my suggested changes you wont need to create this如果您正在应用我建议的更改,则不需要创建它
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ssl-cert-staging
namespace: default
spec:
secretName: ssl-cert-staging
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- example.com
cert-manager will auto-create for you, you can remove this also and just apply above example snippet with minor changes required of name and etc.证书管理器将为您自动创建,您也可以删除它,只需应用上面的示例片段,对名称等进行一些小的更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.