deploying a le-certificate

2020-09-24 16:13:53 +02:00 · 2020-09-24 16:13:53 +02:00 · c6fbdee6e4
commit c6fbdee6e4
parent 3c6cfeed03
1 changed files with 44 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -1,5 +1,3 @@
-# Snippets for k3s
-
 * [Install k3s](#install-k3s)
 * [Configure upstream DNS-resolver](#upstream-dns-resolver)
 * [Namespaces and resource limits](#namespaces)
@ -9,8 +7,9 @@
 * [Persistent volumes](#pv)
  * [Local provider](#pv-local)
  * [Longhorn - distributed/lightweight provider](#pv-longhorn)
-* [Disable Traefik-ingress](#disable-traefik-ingress)
-* [Enable NGINX-ingress](#enable-nginx-ingress)
+* [Ingress controller](#ingress-controller)
+  * [Disable Traefik-ingress](#disable-traefik-ingress)
+  * [Enable NGINX-ingress](#enable-nginx-ingress)
    * [Installation](#install-nginx-ingress)
    * [Change service type from NodePort to LoadBalancer](#nginx-ingress-loadbalancer)
    * [Enable nginx-ingress tcp- and udp-services for apps other than http/s](#nginx-ingress-tcp-udp-enabled)
@ -33,13 +32,13 @@
  * [Rollback](#helm-rollback)


-## Install k3s <a name="install-k3s"></a>
+# Install k3s <a name="install-k3s"></a>
 https://k3s.io/:
 ```
 curl -sfL https://get.k3s.io | sh -
 ```

-# Configure upstream DNS-resolver <a name="upstream-dns-resolver"></a>
+# Upstream DNS-resolver <a name="upstream-dns-resolver"></a>
 Docs: https://rancher.com/docs/rancher/v2.x/en/troubleshooting/dns/

 Default: 8.8.8.8 => does not resolve local domains!
@ -161,6 +160,7 @@ https://rancher.com/docs/k3s/latest/en/storage/
  * Debian: `apt install open-iscsi`
 * Install: https://rancher.com/docs/k3s/latest/en/storage/

+# Ingress controller <a name="ingress-controller"></a>
 ## Disable Traefik-ingress <a name="disable-traefik-ingress"></a>
 edit /etc/systemd/system/k3s.service:
 ```
@ -413,7 +413,7 @@ but they do not belong to a single namespace and can be referenced by Certificat
 multiple different namespaces.
 ```

-lets-encrypt-cluster-issuers.yaml
+lets-encrypt-cluster-issuers.yaml:
 ```
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@ -454,8 +454,38 @@ spec:
        ingress:
          class: nginx
 ```
+`kubectl apply -f lets-encrypt-cluster-issuers.yaml`
+
+## Deploying a LE-certificate
+All you need is an `Ingress` resource of class `nginx` which references a ClusterIssuer (`letsencrypt-prod-issuer`) resource:
+```
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  namespace: <stage>
+  name: some-ingress-name
+  annotations:
+    # use the shared ingress-nginx
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod-issuer"
+spec:
+  tls:
+  - hosts:
+    - some-certificate.name.san
+    secretName: target-certificate-secret-name
+  rules:
+  - host: some-certificate.name.san
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: some-target-service
+          servicePort: some-target-service-port
+```

 ## Troubleshooting <a name="cert-manager-troubleshooting"></a>
+Docs: https://cert-manager.io/docs/faq/acme/
+
 ClusterIssuer runs in default namespace:
 ```
 kubectl get clusterissuer