Automating Certificate Management in a Kubernetes Environment
letsencrypt.homlish.net. IN A 10.11.168.4
cafe.homlish.net. IN A 10.11.168.5
cert-manager.homlish.net. IN A 10.11.168.253
helm install nginx-kic nginx-stable/nginx-ingress –namespace nginx-ingress –set controller.enableCustomResources=true –create-namespace –set controller.enableCertManager=true
helm install nginx-kic nginx-stable/nginx-ingress –namespace nginx-ingress –set controller.enableCustomResources=true –set spec.loadBalancerIP=’10.11.168.4′ –create-namespace –set controller.enableCertManager=true
helm install -f values.yaml –namespace nginx-ingress nginx-kic nginx-stable/nginx-ingress –create-namespace
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
–namespace cert-manager \
–create-namespace \
–version v1.10.1
change fw nginx to forward to cert-manager
curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
wget https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
root@fw:~# iptables -L -n -t nat –line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp — 0.0.0.0/0 71.162.237.5 tcp dpt:80 to:10.11.1.200:80
iptables -D DNAT 1
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.1.200:80
#!/bin/sh
# www http port 80 for certbot
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.1.200:80
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.168.4:80
FAIL
since we use apache for let’s encrypt verification we would need another internet IP to also have kubernetes validate
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml
phomlish@a6:~/kubernetes/cert-manager$ pwd
/home/phomlish/kubernetes/cert-manager
wget https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/kubectl-cert_manager-linux-amd64.tar.gz
tar xzf kubectl-cert_manager-linux-amd64.tar.gz
phomlish@a6:~/kubernetes/cert-manager$ ./kubectl-cert_manager
# verify
k apply -f test-resources.yaml
kubectl apply -f test-resources.yaml
kubectl delete -f test-resources.yaml
old try
https://cert-manager.io/docs/installation/kubernetes/
https://github.com/jetstack/cert-manager
https://groups.google.com/g/cert-manager-dev
https://app.slack.com/
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.crds.yaml
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
let’s do one.
setup dns for weather.homlish.net
10.11.168.3
add to nginx on the firewall
how do we set the external ip address for certificate-manager
Now we’re off the reservation!
Let’s try to reuse our existing Lets Encrypt account
my slack conversation the guy said “don’t worry about it”