cert manager letsencrypt - choisungwook/portfolio GitHub Wiki

๊ฐœ์š”

  • cert-manager let's encrypt ๋ฐœ๊ธ‰

์ค€๋น„

  1. ์™ธ๋ถ€ ํ†ต์‹ ์ด ๋˜๋Š” ํ™˜๊ฒฝ
  2. ๋„๋ฉ”์ธ๊ณผ cloudflare ์—ฐ๋™
  3. ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํด๋Ÿฌ์Šคํ„ฐ
  4. cert-manager ์„ค์น˜
  5. cloudflare api token์„ ์ƒ์„ฑํ•˜๊ณ  ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค secret์— ์ €์žฅ

cloudflare api-token -> k8s secret ์ƒ์„ฑ๋ฐฉ๋ฒ•: https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-keys


clusterissue ์ƒ์„ฑ

  • ๋ชจ๋“  ๋„ค์ž„์ŠคํŽ˜์ด์Šค์— ์ ์šฉ๋˜๋Š” ์ธ์ฆ์„œ ์ฃผ์ฒด๋ฅผ ์ƒ์„ฑ
  • ์ธ์ฆ์„œ ์ฃผ์ฒด๋Š” stage, prod๋กœ ๋ถ„๋ฅ˜
  • solver๋Š” dns-01์„ ์‚ฌ์šฉํ•˜๊ณ  provider๋Š” cloudflare์„ ์‚ฌ์šฉ

stage ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <your@email>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the challenge provider
    solvers:
      - dns01:
          cloudflare:
            email: <your-email>
            apiTokenSecretRef:
              name: cloudflare-api-key-secret #cloudflare api token
              key: api-token

prod ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <your@email>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the challenge provider
    solvers:
      - dns01:
          cloudflare:
            email: <your-email>
            apiTokenSecretRef:
              name: cloudflare-api-key-secret #cloudflare api token
              key: api-token

certificate ๋ช…์„ธ ์ •์˜

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-staging-test
spec:
  secretName: test-abcde
  issuerRef:
    name: test-staging
    kind: ClusterIssuer
  commonName: 'choilab.xyz'
  dnsNames:
  - choilab.xyz
  - test3.choilab.xyz

์ธ์ฆ์„œ ์ ์šฉ ์˜ˆ์ œ

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-test3
  labels:
    app: nginx-test3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-test3
  template:
    metadata:
      labels:
        app: nginx-test3
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-test3
spec:
  selector:
    app: nginx-test3
  ports:
  - port: 80
    targetPort: 80
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-test3
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts:
      - test2.choilab.xyz
      secretName: test-abcde
  rules:
  - host: test2.choilab.xyz
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: nginx-test3
            port:
              number: 80

์ธ์ฆ์„œ ์ƒ์„ฑ๊ณผ ingress์— ๋™์‹œ์— ์ ์šฉ

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-test3
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "prod"
spec:
  tls:
    - hosts:
      - test2.choilab.xyz
      secretName: stage-test-prod-4 # ์ƒ์„ฑํ•œ ์ธ์ฆ์„œ๊ฐ€ ์ €์žฅ๋˜๋Š” secret
  rules:
  - host: test2.choilab.xyz
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: nginx-test3
            port:
              number: 80

๋ธ”๋กœ๊ทธ ์œ ํˆฌ๋ธŒ

โš ๏ธ **GitHub.com Fallback** โš ๏ธ