cert manager letsencrypt - choisungwook/portfolio Wiki

개요

  • cert-manager let's encrypt 발급

준비

  1. 외부 통신이 되는 환경
  2. 도메인과 cloudflare 연동
  3. 쿠버네티스 클러스터
  4. cert-manager 설치
  5. cloudflare api token을 생성하고 쿠버네티스 secret에 저장

cloudflare api-token -> k8s secret 생성방법: https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-keys


clusterissue 생성

  • 모든 네임스페이스에 적용되는 인증서 주체를 생성
  • 인증서 주체는 stage, prod로 분류
  • solver는 dns-01을 사용하고 provider는 cloudflare을 사용

stage ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <[email protected]>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the challenge provider
    solvers:
      - dns01:
          cloudflare:
            email: <your-email>
            apiTokenSecretRef:
              name: cloudflare-api-key-secret #cloudflare api token
              key: api-token

prod ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <[email protected]>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the challenge provider
    solvers:
      - dns01:
          cloudflare:
            email: <your-email>
            apiTokenSecretRef:
              name: cloudflare-api-key-secret #cloudflare api token
              key: api-token

certificate 명세 정의

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-staging-test
spec:
  secretName: test-abcde
  issuerRef:
    name: test-staging
    kind: ClusterIssuer
  commonName: 'choilab.xyz'
  dnsNames:
  - choilab.xyz
  - test3.choilab.xyz

인증서 적용 예제

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-test3
  labels:
    app: nginx-test3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-test3
  template:
    metadata:
      labels:
        app: nginx-test3
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-test3
spec:
  selector:
    app: nginx-test3
  ports:
  - port: 80
    targetPort: 80
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-test3
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts:
      - test2.choilab.xyz
      secretName: test-abcde
  rules:
  - host: test2.choilab.xyz
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: nginx-test3
            port:
              number: 80

인증서 생성과 ingress에 동시에 적용

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-test3
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "prod"
spec:
  tls:
    - hosts:
      - test2.choilab.xyz
      secretName: stage-test-prod-4 # 생성한 인증서가 저장되는 secret
  rules:
  - host: test2.choilab.xyz
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: nginx-test3
            port:
              number: 80
⚠️ **GitHub.com Fallback** ⚠️