츄네다 블로그

This site uses Just the Docs, a documentation theme for Jekyll.

Search

Cert-Manager 설치

설치

  • 현 시스템 k8s 버전에 따라 다름. 1.16 이상이면 상단 스크립트 사용
# Kubernetes 1.16+
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml

# Kubernetes <1.16
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager-legacy.yaml

설치확인

$ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-64cdb5b965-bvtpr              1/1     Running   0          37h
cert-manager-cainjector-597859f766-dsxm7   1/1     Running   0          37h
cert-manager-webhook-7d749b578f-f6bxt      1/1     Running   0          37h

인증서 이슈 매니저 생성

  • issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: address@yourdns.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
    # An empty 'selector' means that this solver matches all domains
    - selector: {}
      http01:
        ingress:
          class: nginx

---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: address@yourdns.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

이슈 매니저 적용

$ kubectl apply -f issuer.yaml

인그레스 배포 파일 편집.

  • http-go.yaml 수정
apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-go
spec:
  replicas: 5
  selector:
    matchLabels:
      app: http-go
  template:
    metadata:
      labels:
        app: http-go
    spec:
      containers:
      - image: ryuhon/http-go
        name: http-go
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: http-go
spec:
  ports:
    - protocol: TCP
      port: 80
  selector:
    app: http-go

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: http-go-ingress
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - http-go.yourdns.com
    secretName: http-go-devbox-kr-cert
  rules:
  - host: http-go.yourdns.com
    http:
      paths:
      - backend:
          serviceName: http-go
          servicePort: 80

Ingress 확인

$ kubectl describe ingress http-go-ingress

인증서 확인

$ kubectl get certificate