 d517f81756
			
		
	
	d517f81756
	
	
	
		
			
			Closes-bug: 1992375 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I03d34ffaa1666456ebad3ef53f4c9c7b18259884
		
			
				
	
	
		
			140 lines
		
	
	
		
			4.4 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			140 lines
		
	
	
		
			4.4 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| 
 | ||
| .. nst1588348086813
 | ||
| .. _letsencrypt-example:
 | ||
| 
 | ||
| ==========================================
 | ||
| External CA and Ingress Controller Example
 | ||
| ==========================================
 | ||
| 
 | ||
| This section describes how to configure an application to use Ingress
 | ||
| Controller to both expose its |TLS|-based service and to use an External |CA|
 | ||
| for signing CERTIFICATEs.
 | ||
| 
 | ||
| NOTE that alternatively an Internal |CA| could be used with an Ingress
 | ||
| Controller -based solution as well.
 | ||
| 
 | ||
| .. rubric:: |prereq|
 | ||
| 
 | ||
| This example requires that:
 | ||
| 
 | ||
| .. _letsencrypt-example-ul-h3j-f2w-nlb:
 | ||
| 
 | ||
| -   The LetsEncrypt |CA| in the public internet can send an http01 challenge to
 | ||
|     the |FQDN| of the |prod|'s floating |OAM| IP Address.
 | ||
| 
 | ||
| -   The |prod| has access to the kuard demo application at `gcr.io/kuar-demo/kuard-amd64:blue <https://console.cloud.google.com/gcr/images/kuar-demo/GLOBAL/kuard-amd64@sha256:1ecc9fb2c871302fdb57a25e0c076311b7b352b0a9246d442940ca8fb4efe229/details?tag=blue>`__.
 | ||
| 
 | ||
| -   Ensure that your |prod| administrator has shared the local
 | ||
|     registry’s public repository’s credentials/secret with the namespace where
 | ||
|     you will create certificates. This will allow you to leverage the
 | ||
|     :command:`registry.local:9001/public/cert-manager-acmesolver` image. See
 | ||
|     :ref:`Set up a Public Repository in Local Docker Registry
 | ||
|     <setting-up-a-public-repository>`.
 | ||
| 
 | ||
| -   Ensure that your |prod| administrator has enabled use of the
 | ||
|     cert-manager apiGroups in your |RBAC| policies.
 | ||
| 
 | ||
| -   Ensure that your |prod| administrator has opened port 80 and 443 in
 | ||
|     GlobalNetworkPolicy.
 | ||
| 
 | ||
| .. rubric:: |proc|
 | ||
| 
 | ||
| #.  Create a LetsEncrypt ISSUER in the default namespace by applying the
 | ||
|     following manifest file.
 | ||
| 
 | ||
|     .. code-block:: none
 | ||
| 
 | ||
|         apiVersion: cert-manager.io/v1alpha2
 | ||
|         kind: Issuer
 | ||
|         metadata:
 | ||
|           name: letsencrypt-prod
 | ||
|         spec:
 | ||
|           acme:
 | ||
|             # The ACME server URL
 | ||
|             server: https://acme-v02.api.letsencrypt.org/directory
 | ||
|             # Email address used for ACME registration
 | ||
|             email: dave.user@hotmail.com
 | ||
|             # Name of a secret used to store the ACME account private key
 | ||
|             privateKeySecretRef:
 | ||
|               name: letsencrypt-prod
 | ||
|             # Enable the HTTP-01 challenge provider
 | ||
|             solvers:
 | ||
|             - http01:
 | ||
|                 ingress:
 | ||
|                   class: nginx
 | ||
| 
 | ||
| #.  Create a deployment of the kuard demo application
 | ||
|     \(`https://github.com/kubernetes-up-and-running/kuard
 | ||
|     <https://github.com/kubernetes-up-and-running/kuard>`__\) with an INGRESS
 | ||
|     using cert-manager by applying the following manifest file:
 | ||
| 
 | ||
|     Where both ``starlingx.mycompany.com`` and
 | ||
|     ``kuard.starlingx.mycompany.com`` are |FQDNs| that map to the |OAM|
 | ||
|     Floating IP of |prod|.
 | ||
| 
 | ||
|     (You should substitute these for |FQDNs| for the |prod| installation.)
 | ||
| 
 | ||
| 
 | ||
|     .. parsed-literal::
 | ||
| 
 | ||
|         apiVersion: apps/v1
 | ||
|         kind: Deployment
 | ||
|         metadata:
 | ||
|           name: kuard
 | ||
|         spec:
 | ||
|           replicas: 1
 | ||
|           selector:
 | ||
|             matchLabels:
 | ||
|               app: kuard
 | ||
|           template:
 | ||
|             metadata:
 | ||
|               labels:
 | ||
|                 app: kuard
 | ||
|             spec:
 | ||
|               containers:
 | ||
|               - name: kuard
 | ||
|                 image: gcr.io/kuar-demo/kuard-amd64:blue
 | ||
|                 imagePullPolicy: Always
 | ||
|                 ports:
 | ||
|                 - containerPort: 8080
 | ||
|                   protocol: TCP
 | ||
|         ---
 | ||
|         apiVersion: v1
 | ||
|         kind: Service
 | ||
|         metadata:
 | ||
|           name: kuard
 | ||
|           labels:
 | ||
|             app: kuard
 | ||
|         spec:
 | ||
|           ports:
 | ||
|             - port: 80
 | ||
|               targetPort: 8080
 | ||
|               protocol: TCP
 | ||
|           selector:
 | ||
|             app: kuard
 | ||
|         ---
 | ||
|         apiVersion: extensions/v1beta1
 | ||
|         kind: Ingress
 | ||
|         metadata:
 | ||
|           annotations:
 | ||
|             kubernetes.io/ingress.class: nginx
 | ||
|             cert-manager.io/issuer: "letsencrypt-prod"
 | ||
|           name: kuard
 | ||
|         spec:
 | ||
|           tls:
 | ||
|           - hosts:
 | ||
|             - kuard.starlingx.mycompany.com
 | ||
|             secretName: kuard-ingress-tls
 | ||
|           rules:
 | ||
|             - host: kuard.starlingx.mycompany.com
 | ||
|               http:
 | ||
|                 paths:
 | ||
|                   - backend:
 | ||
|                       serviceName: kuard
 | ||
|                       servicePort: 80
 | ||
|                     path: /
 | ||
| 
 | ||
| #.  Access the kuard demo from your browser to inspect and verify that the
 | ||
|     certificate is signed by LetsEncrypt |CA|. For this example, the URL
 | ||
|     would be https://kuard.starlingx.mycompany.com.
 |