deploying a le-certificate

README.md

@@ -1,5 +1,3 @@
-# Snippets for k3s
-
 * [Install k3s](#install-k3s)
 * [Configure upstream DNS-resolver](#upstream-dns-resolver)
 * [Namespaces and resource limits](#namespaces)
@@ -9,15 +7,16 @@
 * [Persistent volumes](#pv)
   * [Local provider](#pv-local)
   * [Longhorn - distributed/lightweight provider](#pv-longhorn)
-* [Disable Traefik-ingress](#disable-traefik-ingress)
-* [Enable NGINX-ingress](#enable-nginx-ingress)
-  * [Installation](#install-nginx-ingress)
-  * [Change service type from NodePort to LoadBalancer](#nginx-ingress-loadbalancer)
-  * [Enable nginx-ingress tcp- and udp-services for apps other than http/s](#nginx-ingress-tcp-udp-enabled)
-  * [Enable client-IP transparency and expose TCP-port 9000](#enable-client-ip-transp-expose-tcp-9000)
-  * [Deploy my-nginx-service](#deploy-my-nginx-service)
-  * [Stick the nginx-ingress controler and my-nginx app together](#stick-nginx-ingress-and-tcp-service)
-  * [Test exposed app on TCP-port 9000](#test-nginx-ingress-and-tcp-service)
+* [Ingress controller](#ingress-controller)
+  * [Disable Traefik-ingress](#disable-traefik-ingress)
+  * [Enable NGINX-ingress](#enable-nginx-ingress)
+    * [Installation](#install-nginx-ingress)
+    * [Change service type from NodePort to LoadBalancer](#nginx-ingress-loadbalancer)
+    * [Enable nginx-ingress tcp- and udp-services for apps other than http/s](#nginx-ingress-tcp-udp-enabled)
+    * [Enable client-IP transparency and expose TCP-port 9000](#enable-client-ip-transp-expose-tcp-9000)
+    * [Deploy my-nginx-service](#deploy-my-nginx-service)
+    * [Stick the nginx-ingress controler and my-nginx app together](#stick-nginx-ingress-and-tcp-service)
+    * [Test exposed app on TCP-port 9000](#test-nginx-ingress-and-tcp-service)
 * [Cert-Manager (references ingress controller)](#cert-manager)
   * [Installation](#cert-manager-install)
   * [Let´s Encrypt issuer](#cert-manager-le-issuer)
@@ -33,13 +32,13 @@
   * [Rollback](#helm-rollback)
 
 
-## Install k3s <a name="install-k3s"></a>
+# Install k3s <a name="install-k3s"></a>
 https://k3s.io/:
 ```
 curl -sfL https://get.k3s.io | sh -
 ```
 
-# Configure upstream DNS-resolver <a name="upstream-dns-resolver"></a>
+# Upstream DNS-resolver <a name="upstream-dns-resolver"></a>
 Docs: https://rancher.com/docs/rancher/v2.x/en/troubleshooting/dns/
 
 Default: 8.8.8.8 => does not resolve local domains!
@@ -161,6 +160,7 @@ https://rancher.com/docs/k3s/latest/en/storage/
   * Debian: `apt install open-iscsi`
 * Install: https://rancher.com/docs/k3s/latest/en/storage/
 
+# Ingress controller <a name="ingress-controller"></a>
 ## Disable Traefik-ingress <a name="disable-traefik-ingress"></a>
 edit /etc/systemd/system/k3s.service:
 ```
@@ -413,7 +413,7 @@ but they do not belong to a single namespace and can be referenced by Certificat
 multiple different namespaces.
 ```
 
-lets-encrypt-cluster-issuers.yaml
+lets-encrypt-cluster-issuers.yaml:
 ```
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@@ -454,8 +454,38 @@ spec:
         ingress:
           class: nginx
 ```
+`kubectl apply -f lets-encrypt-cluster-issuers.yaml`
+
+## Deploying a LE-certificate
+All you need is an `Ingress` resource of class `nginx` which references a ClusterIssuer (`letsencrypt-prod-issuer`) resource:
+```
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  namespace: <stage>
+  name: some-ingress-name
+  annotations:
+    # use the shared ingress-nginx
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod-issuer"
+spec:
+  tls:
+  - hosts:
+    - some-certificate.name.san
+    secretName: target-certificate-secret-name
+  rules:
+  - host: some-certificate.name.san
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: some-target-service
+          servicePort: some-target-service-port
+```
 
 ## Troubleshooting <a name="cert-manager-troubleshooting"></a>
+Docs: https://cert-manager.io/docs/faq/acme/
+
 ClusterIssuer runs in default namespace:
 ```
 kubectl get clusterissuer