cert manager letsencrypt - choisungwook/portfolio GitHub Wiki
- cert-manager let's encrypt 발급
- 외부 통신이 되는 환경
- 도메인과 cloudflare 연동
- 쿠버네티스 클러스터
- cert-manager 설치
- cloudflare api token을 생성하고 쿠버네티스 secret에 저장
cloudflare api-token -> k8s secret 생성방법: https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-keys
- 모든 네임스페이스에 적용되는 인증서 주체를 생성
- 인증서 주체는 stage, prod로 분류
- solver는 dns-01을 사용하고 provider는 cloudflare을 사용
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your@email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the challenge provider
solvers:
- dns01:
cloudflare:
email: <your-email>
apiTokenSecretRef:
name: cloudflare-api-key-secret #cloudflare api token
key: api-token
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your@email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the challenge provider
solvers:
- dns01:
cloudflare:
email: <your-email>
apiTokenSecretRef:
name: cloudflare-api-key-secret #cloudflare api token
key: api-token
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-staging-test
spec:
secretName: test-abcde
issuerRef:
name: test-staging
kind: ClusterIssuer
commonName: 'choilab.xyz'
dnsNames:
- choilab.xyz
- test3.choilab.xyz
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test3
labels:
app: nginx-test3
spec:
replicas: 1
selector:
matchLabels:
app: nginx-test3
template:
metadata:
labels:
app: nginx-test3
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-test3
spec:
selector:
app: nginx-test3
ports:
- port: 80
targetPort: 80
type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-test3
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- test2.choilab.xyz
secretName: test-abcde
rules:
- host: test2.choilab.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: nginx-test3
port:
number: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-test3
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "prod"
spec:
tls:
- hosts:
- test2.choilab.xyz
secretName: stage-test-prod-4 # 생성한 인증서가 저장되는 secret
rules:
- host: test2.choilab.xyz
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: nginx-test3
port:
number: 80