diff --git a/README.md b/README.md
index 1ff32bc..dd2e8a5 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,3 @@
-# Snippets for k3s
-
* [Install k3s](#install-k3s)
* [Configure upstream DNS-resolver](#upstream-dns-resolver)
* [Namespaces and resource limits](#namespaces)
@@ -9,15 +7,16 @@
* [Persistent volumes](#pv)
* [Local provider](#pv-local)
* [Longhorn - distributed/lightweight provider](#pv-longhorn)
-* [Disable Traefik-ingress](#disable-traefik-ingress)
-* [Enable NGINX-ingress](#enable-nginx-ingress)
- * [Installation](#install-nginx-ingress)
- * [Change service type from NodePort to LoadBalancer](#nginx-ingress-loadbalancer)
- * [Enable nginx-ingress tcp- and udp-services for apps other than http/s](#nginx-ingress-tcp-udp-enabled)
- * [Enable client-IP transparency and expose TCP-port 9000](#enable-client-ip-transp-expose-tcp-9000)
- * [Deploy my-nginx-service](#deploy-my-nginx-service)
- * [Stick the nginx-ingress controler and my-nginx app together](#stick-nginx-ingress-and-tcp-service)
- * [Test exposed app on TCP-port 9000](#test-nginx-ingress-and-tcp-service)
+* [Ingress controller](#ingress-controller)
+ * [Disable Traefik-ingress](#disable-traefik-ingress)
+ * [Enable NGINX-ingress](#enable-nginx-ingress)
+ * [Installation](#install-nginx-ingress)
+ * [Change service type from NodePort to LoadBalancer](#nginx-ingress-loadbalancer)
+ * [Enable nginx-ingress tcp- and udp-services for apps other than http/s](#nginx-ingress-tcp-udp-enabled)
+ * [Enable client-IP transparency and expose TCP-port 9000](#enable-client-ip-transp-expose-tcp-9000)
+ * [Deploy my-nginx-service](#deploy-my-nginx-service)
+ * [Stick the nginx-ingress controler and my-nginx app together](#stick-nginx-ingress-and-tcp-service)
+ * [Test exposed app on TCP-port 9000](#test-nginx-ingress-and-tcp-service)
* [Cert-Manager (references ingress controller)](#cert-manager)
* [Installation](#cert-manager-install)
* [Let´s Encrypt issuer](#cert-manager-le-issuer)
@@ -33,13 +32,13 @@
* [Rollback](#helm-rollback)
-## Install k3s
+# Install k3s
https://k3s.io/:
```
curl -sfL https://get.k3s.io | sh -
```
-# Configure upstream DNS-resolver
+# Upstream DNS-resolver
Docs: https://rancher.com/docs/rancher/v2.x/en/troubleshooting/dns/
Default: 8.8.8.8 => does not resolve local domains!
@@ -161,6 +160,7 @@ https://rancher.com/docs/k3s/latest/en/storage/
* Debian: `apt install open-iscsi`
* Install: https://rancher.com/docs/k3s/latest/en/storage/
+# Ingress controller
## Disable Traefik-ingress
edit /etc/systemd/system/k3s.service:
```
@@ -413,7 +413,7 @@ but they do not belong to a single namespace and can be referenced by Certificat
multiple different namespaces.
```
-lets-encrypt-cluster-issuers.yaml
+lets-encrypt-cluster-issuers.yaml:
```
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
@@ -454,8 +454,38 @@ spec:
ingress:
class: nginx
```
+`kubectl apply -f lets-encrypt-cluster-issuers.yaml`
+
+## Deploying a LE-certificate
+All you need is an `Ingress` resource of class `nginx` which references a ClusterIssuer (`letsencrypt-prod-issuer`) resource:
+```
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ namespace:
+ name: some-ingress-name
+ annotations:
+ # use the shared ingress-nginx
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: "letsencrypt-prod-issuer"
+spec:
+ tls:
+ - hosts:
+ - some-certificate.name.san
+ secretName: target-certificate-secret-name
+ rules:
+ - host: some-certificate.name.san
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: some-target-service
+ servicePort: some-target-service-port
+```
## Troubleshooting
+Docs: https://cert-manager.io/docs/faq/acme/
+
ClusterIssuer runs in default namespace:
```
kubectl get clusterissuer