Posted on by phomlish

kubernetes cert-manager

https://www.nginx.com/blog/automating-certificate-management-in-a-kubernetes-environment/

letsencrypt.homlish.net. IN A 10.11.168.4
cafe.homlish.net. IN A 10.11.168.5
cert-manager.homlish.net. IN A 10.11.168.253

helm install nginx-kic nginx-stable/nginx-ingress –namespace nginx-ingress –set controller.enableCustomResources=true –create-namespace –set controller.enableCertManager=true

helm install nginx-kic nginx-stable/nginx-ingress –namespace nginx-ingress –set controller.enableCustomResources=true –set spec.loadBalancerIP=’10.11.168.4′ –create-namespace –set controller.enableCertManager=true

helm install -f values.yaml –namespace nginx-ingress nginx-kic nginx-stable/nginx-ingress –create-namespace

helm repo add jetstack https://charts.jetstack.io
helm repo update

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
–namespace cert-manager \
–create-namespace \
–version v1.10.1

change fw nginx to forward to cert-manager

curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
wget https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz

root@fw:~# iptables -L -n -t nat –line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp — 0.0.0.0/0 71.162.237.5 tcp dpt:80 to:10.11.1.200:80

iptables -D DNAT 1

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.1.200:80

#!/bin/sh

# www http port 80 for certbot
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.1.200:80

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.168.4:80

FAIL

since we use apache for let’s encrypt verification we would need another internet IP to also have kubernetes validate

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml

phomlish@a6:~/kubernetes/cert-manager$ pwd
/home/phomlish/kubernetes/cert-manager
wget https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/kubectl-cert_manager-linux-amd64.tar.gz
tar xzf kubectl-cert_manager-linux-amd64.tar.gz
phomlish@a6:~/kubernetes/cert-manager$ ./kubectl-cert_manager

# verify
k apply -f test-resources.yaml
kubectl apply -f test-resources.yaml
kubectl delete -f test-resources.yaml

old try
https://cert-manager.io/docs/installation/kubernetes/
https://github.com/jetstack/cert-manager
https://groups.google.com/g/cert-manager-dev
https://app.slack.com/

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.crds.yaml

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

let’s do one.
setup dns for weather.homlish.net
10.11.168.3

add to nginx on the firewall

how do we set the external ip address for certificate-manager

Now we’re off the reservation!
Let’s try to reuse our existing Lets Encrypt account
my slack conversation the guy said “don’t worry about it”

Leave a Reply

Your email address will not be published. Required fields are marked *