https://faun.pub/install-traefik-ingress-controller-in-kubernetes-d45ecf592da2#ac88
https://faun.pub/install-certificate-manager-controller-in-kubernetes-ba435aedf2e8#142c
helm repo add jetstack https://charts.jetstack.io helm repo update helm upgrade --install cert-manager \ --namespace cert-manager \ --version v1.6.0 \ jetstack/cert-manager \ --set installCRDs=true
Check status
kubectl get all -n cert-manager # Make sure all cert-manager deployed pods are running kubectl get pods --namespace cert-manager # Make sure custom resources *.cert-manager.io were created successfully kubectl get crd | grep cert-manager # Verify that ClusterIssuer is non-namespaced scoped ('false') # so it can be used to issue Certificates across all namespaces kubectl api-resources | grep clusterissuers
Self signet
#cat sandbox--myelgdops-com-cert.yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: sandbox-myelgdops-com-issuer namespace: dops-sandbox spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: sandbox-myelgdops-com-cert-letsencript namespace: dops-sandbox spec: secretName: sandbox-myelgdops-com-cert-letsencript-secret commonName: 'sandbox.myelgdops.com' dnsNames: - sandbox.myelgdops.com # keySize: 2048 # keyAlgorithm: rsa issuerRef: name: sandbox-myelgdops-com-issuer kind: ClusterIssuer
Let's Encrypt signet
!!!!!!from traefik v2.5 DOES NOT WORCK!!!!!!
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: demo-myelgdops-com-issuer
namespace: dops-demo
spec:
acme:
email: Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в вашем браузере должен быть включен Javascript. # replace this
privateKeySecretRef:
name: your-own-very-secretive-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: traefik-cert-manager
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-myelgdops-com-cert-letsencript
namespace: dops-demo
spec:
secretName: demo-myelgdops-com-cert-letsencript-secret
commonName: 'demo.myelgdops.com'
dnsNames:
- demo.myelgdops.com
issuerRef:
name: demo-myelgdops-com-issuer
kind: ClusterIssuer
!!!!!! IN traefik v2.5+ USE ONLY this!!!!!!
#cat traefik-values.yml
#------------------------------------
#for deploying Traefik, the static configuration
logs:
general:
level: DEBUG
access:
enable: true
format: json
additionalArguments:
- "--certificatesresolvers.ksi.acme.tlschallenge=true"
- "--certificatesresolvers.ksi.acme.email=Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в вашем браузере должен быть включен Javascript."
- "--certificatesresolvers.ksi.acme.storage=/data/acme.json"
- "--metrics.prometheus=true"
- "--pilot.token=1ffa4876-8536-4f30-8045-5c16dcf58f02"
- "--api.dashboard=true"
deployment:
replicas: 1
service:
spec:
loadBalancerIP: $PublicIP
annotations:
"service.beta.kubernetes.io/azure-load-balancer-resource-group": $Cluster_nodeResourceGroup
Install/update traefik
kubectl create namespace traefik #---------------------------------------------------- helm repo add traefik https://helm.traefik.io/traefik helm repo update helm upgrade --install traefik traefik/traefik \ -f traefik-values.yml \ -n traefik \ --set dashboard.enabled=true
Use crd ksi, that we creat early:
#kubectl creat -f milware.yml #---------------------------------------------------- #se auth, redirect http --to--https#### ######################################################## apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dops-master-service-ingress-route-http-to-https namespace: dops-master spec: entryPoints: - web routes: - kind: Rule match: Host(`elg.ksi.kiev.ua`) services: - name: apache1-test-app-service namespace: dops-master port: 80 middlewares: - name: api-http-redirect namespace: dops-master --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: api-http-redirect namespace: dops-master spec: redirectScheme: scheme: https permanent: true port: "443" ######################################################### --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dops-master-apache0-service-ingress namespace: dops-master spec: entryPoints: - websecure routes: - kind: Rule match: Host(`elg.ksi.kiev.ua`) services: - name: apache0-test-app-service namespace: dops-master port: 80 # middlewares: # - name: master-base-auth # namespace: dops-master ############################################################### - kind: Rule match: Host(`elg.ksi.kiev.ua`) && PathPrefix(`/apache1`) services: - name: apache1-test-app-service namespace: dops-master port: 80 middlewares: - name: app-prefix namespace: dops-master ############################################################### - kind: Rule match: Host(`elg.ksi.kiev.ua`) && PathPrefix(`/apache2`) services: - name: apache2-test-app-service namespace: dops-master port: 80 middlewares: - name: app-prefix namespace: dops-master tls: certResolver: ksi --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: master-base-auth namespace: dops-master spec: basicAuth: secret: master-base-authsecret --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: app-prefix namespace: dops-master spec: stripPrefix: prefixes: - "/apache1" - "/apache2" forceSlash: false
after every reboot claster you have to delete acme file in /data/acme.json
kubectl exec \
-it $(kubectl get pods --no-headers -n traefik -o custom-columns=":metadata.name") \
-n traefik \
-- sh -c "rm -f /data/acme.json && reboot"
Get cert status:
kubectl get CertificateRequest -n dops-demo -o widekubectl get certificate
-n dops-demo-o wide
kubectl -n logos describe certificate -n dops-demo
Debug status ACME:
https://cert-manager.io/docs/faq/acme/
kubectl describe order {.....} -A kubectl describe challenge -A kubectl get challenges -A kubectl describe certificaterequest -n dops-master {......} kubectl get certificaterequest -A