21b11b47d6
Completed review comments Minor abbreviation fix Moved topics into its own VNF Integration section Fixed abbreviations Re-organized Kubernetes topics Change-Id: I8940d3572b789990d3b5f2d201f8ec8a46ce2943 Signed-off-by: Keane Lim <keane.lim@windriver.com>
118 lines
3.2 KiB
ReStructuredText
118 lines
3.2 KiB
ReStructuredText
|
|
.. nst1588348086813
|
|
.. _letsencrypt-example:
|
|
|
|
===================
|
|
LetsEncrypt Example
|
|
===================
|
|
|
|
The LetsEncrypt example illustrates cert-manager usage.
|
|
|
|
.. rubric:: |prereq|
|
|
|
|
This example requires that:
|
|
|
|
.. _letsencrypt-example-ul-h3j-f2w-nlb:
|
|
|
|
- the LetsEncrypt CA in the public internet can send an http01 challenge to
|
|
the FQDN of your |prod|'s floating OAM IP Address.
|
|
|
|
- your |prod| has access to the kuard demo application at
|
|
gcr.io/kuar-demo/kuard-amd64:blue
|
|
|
|
.. rubric:: |proc|
|
|
|
|
#. Create a LetsEncrypt Issuer in the default namespace by applying the
|
|
following manifest file.
|
|
|
|
.. code-block:: none
|
|
|
|
apiVersion: cert-manager.io/v1alpha2
|
|
kind: Issuer
|
|
metadata:
|
|
name: letsencrypt-prod
|
|
spec:
|
|
acme:
|
|
# The ACME server URL
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
# Email address used for ACME registration
|
|
email: dave.user@hotmail.com
|
|
# Name of a secret used to store the ACME account private key
|
|
privateKeySecretRef:
|
|
name: letsencrypt-prod
|
|
# Enable the HTTP-01 challenge provider
|
|
solvers:
|
|
- http01:
|
|
ingress:
|
|
class: nginx
|
|
|
|
#. Create a deployment of the kuard demo application
|
|
\(`https://github.com/kubernetes-up-and-running/kuard
|
|
<https://github.com/kubernetes-up-and-running/kuard>`__\) with an ingress
|
|
using cert-manager by applying the following manifest file:
|
|
|
|
Substitute values in the example as required for your environment.
|
|
|
|
.. parsed-literal::
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kuard
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: kuard
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: kuard
|
|
spec:
|
|
containers:
|
|
- name: kuard
|
|
image: gcr.io/kuar-demo/kuard-amd64:blue
|
|
imagePullPolicy: Always
|
|
ports:
|
|
- containerPort: 8080
|
|
protocol: TCP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kuard
|
|
labels:
|
|
app: kuard
|
|
spec:
|
|
ports:
|
|
- port: 80
|
|
targetPort: 8080
|
|
protocol: TCP
|
|
selector:
|
|
app: kuard
|
|
---
|
|
apiVersion: extensions/v1beta1
|
|
kind: Ingress
|
|
metadata:
|
|
annotations:
|
|
kubernetes.io/ingress.class: nginx
|
|
cert-manager.io/issuer: "letsencrypt-prod"
|
|
name: kuard
|
|
spec:
|
|
tls:
|
|
- hosts:
|
|
- kuard.my-fqdn-for-|prefix|.company.com
|
|
secretName: kuard-ingress-tls
|
|
rules:
|
|
- host: kuard.my-fqdn-for-|prefix|.company.com
|
|
http:
|
|
paths:
|
|
- backend:
|
|
serviceName: kuard
|
|
servicePort: 80
|
|
path: /
|
|
|
|
#. Access the kuard demo from your browser to inspect and verify that the
|
|
certificate is signed by LetsEncrypt CA. For this example, the URL
|
|
would be https://kuard.my-fqdn-for-|prefix|.company.com.
|