아래 명령어로 ingress controller (nginx) 설치
$ microk8s enable ingress
cert-manager에서 사용되는 CustomResourceDefinition resources 먼저 설치. 별도로 작업하는 이유는, 필요시 해당 resource만 관리하기 위함
$ kubectl apply -f <https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml>
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
TLS 인증을 위한 cert-manager 설치
$ helm repo add jetstack <https://charts.jetstack.io>
$ helm install cert-manager jetstack/cert-manager \\
--namespace cert-manager --create-namespace \\
--version v1.8.2 \\
--set 'extraArgs={--acme-http01-solver-nameservers=8.8.8.8:53\\,1.1.1.1:53}'
NAME: cert-manager
LAST DEPLOYED: Fri Jul 8 23:49:25 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.8.2 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
<https://cert-manager.io/docs/configuration/>
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
<https://cert-manager.io/docs/usage/ingress/>
IngressController의 version에 따라 지원되는 API가 변경
Ingress가 적용되지 않음Ingress가 적용되지 않으면, Ingress Controller에서 404 에러 발생모든 namespace 에서 사용가능 하도록 ClutserIssuer 이용
ClusterIssuer, ACMEIssuer, ACMEChallengeSolver, ACMEChallengeSolverIngressTemplate 을 참조하여 작성
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
# ACME 서버 URL
server: <https://acme-v02.api.letsencrypt.org/directory>
# ACMD 등록을 위한 이메일 주소
email: [email protected]
# ACME 계정 비밀키를 저장할 Secret 이름
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
serviceType: ClusterIP
ingressTemplate:
metadata:
annotations:
ingress.spec.ingressClassName: nginx
위 내용을 바탕으로 cert-manager backend와 연결해 줄 Ingress 가 생성
도메인 접속시 보여줄 backend는 아래와 같이 작성
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-nginx
spec:
replicas: 1
selector:
matchLabels:
app: http-nginx
template:
metadata:
labels:
app: http-nginx
spec:
containers:
- image: nginx
name: http-nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: http-nginx
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: http-nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: home-ingress
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.spec.ingressClassName: nginx
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- mydomain.com
secretName: mydomain-cert
rules:
- host: mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: http-nginx
port:
number: 80
certificate, certificaterequests 리소스를 확인하여, TLS-certificate가 발급 되는지 확인. False 값이 있다면, 발급이 되지 않은 상태
$ kubectl -n {namespace} get certificate
NAME READY SECRET AGE
kubehome-cert False kubehome-cert 9h
$ kubectl -n {namespace} get certificaterequests
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
kubehome-cert-dr28g True False letsencrypt-prod system:serviceaccount:cert-manager:cert-manager 136m
아래 명령어로 모든 리소스 조회 가능
$ kubectl api-resources --verbs=list --namespaced -o name \\
| xargs -n 1 kubectl get --show-kind --ignore-not-found -n <namespace>
$ helm uninstall cert-manager --namespace cert-manager
$ kubectl delete -f <https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml>