starlingx/docs
Code Issues Proposed changes
docs/doc/source/usertasks/kubernetes/letsencrypt-example.rst
Elaine Fonaro a1675f1ea2 Fix apiVersion in certificate example (r8, dsr8) 
- Fixed apiVersion to "cert-manager.io/v1" from "cert-manager.io/v1alpha3"

Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
Change-Id: I1bb7b6484f190cc65b02479dcf9cf23805b43df5
2023-05-04 14:10:11 -03:00

4.5 KiB
Raw Blame History

External CA and Ingress Controller Example

This section describes how to configure an application to use Ingress Controller to both expose its -based service and to use an External for signing CERTIFICATEs.

NOTE that alternatively an Internal could be used with an Ingress Controller -based solution as well.

This example requires that:

  • The LetsEncrypt in the public internet can send an http01 challenge to the of the 's floating IP Address.
  • The has access to the kuard demo application at gcr.io/kuar-demo/kuard-amd64:blue.
  • Ensure that your administrator has shared the local registrys public repositorys credentials/secret with the namespace where you will create certificates. This will allow you to leverage the registry.local:9001/public/cert-manager-acmesolver image. See Set up a Public Repository in Local Docker Registry <setting-up-a-public-repository>.
  • Ensure that your administrator has enabled use of the cert-manager apiGroups in your policies.
  • Ensure that your administrator has opened port 80 and 443 in GlobalNetworkPolicy.

  1. Create a LetsEncrypt ISSUER in the default namespace by applying the following manifest file.

    apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: default
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: dave.user@hotmail.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

  2. Create a deployment of the kuard demo application (https://github.com/kubernetes-up-and-running/kuard) with an INGRESS using cert-manager by applying the following manifest file:

    Where both starlingx.mycompany.com and kuard.starlingx.mycompany.com are that map to the Floating IP of .

    (You should substitute these for for the installation.)

    apiVersion: apps/v1 kind: Deployment metadata: name: kuard spec: replicas: 1 selector: matchLabels: app: kuard template: metadata: labels: app: kuard spec: containers: - name: kuard image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always ports: - containerPort: 8080 protocol: TCP ---apiVersion: v1 kind: Service metadata: name: kuard labels: app: kuard spec: ports: - port: 80 targetPort: 8080 protocol: TCP selector: app: kuard ---apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/issuer: "letsencrypt-prod" name: kuard spec: ingressClassName: nginx tls: - hosts: - kuard.starlingx.mycompany.com secretName: kuard-ingress-tls rules: - host: kuard.starlingx.mycompany.com http: paths: - backend: service: name: kuard port: number: 80 path: / pathType: Prefix

  3. Access the kuard demo from your browser to inspect and verify that the certificate is signed by LetsEncrypt . For this example, the URL would be https://kuard.starlingx.mycompany.com.