amcginlay/cert-manager-kind.sh

## cert-manager-kind.sh
####################################
# cert-manager/kind/letsencrypt demo
####################################

# cloudshell
# - Navigate to: https://us-west-2.console.aws.amazon.com/cloudshell
# - create SSM-enabled EC2 instance with ports 80/443 open
aws cloudformation create-stack \
  --stack-name cert-manager-k8s \
  --template-url https://amcginla-public.s3.amazonaws.com/cfn/cfn-ssm-jumpbox.yaml \
  --capabilities CAPABILITY_IAM

# open an SSM session to install tools

# switch to superuser
sudo su -

# set variables
registered_domain=mcginlay.net
email=amcginlay@gmail.com

# get public IP and use it to update naked DNS A record in registered domain
curl http://ifconfig.co # <--- action required here, update DNS!

# install docker
yum update && yum install docker -y

# start docker engine and check it's running
systemctl enable docker.service
systemctl start docker.service
docker version

# install kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" # download tool
curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256" # download checksum
echo "$(<kubectl.sha256)  kubectl" | sha256sum --check # confirm checksum
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl # install CLI
rm -f kubectl* # dispose of installation files
kubectl version --client

# install kind
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind

# create cluster and associated kubeconfig file
kind create cluster --image kindest/node:v1.21.1

# check connectivity and wait for STATUS Ready (~30 secs)
watch kubectl get nodes

# build example app
cat <<EOF >./index.php
<?php
  echo getenv("GREETING") . " " . gethostname() . "\n";
?>
EOF

cat <<EOF >./Dockerfile
FROM php:8.0.1-apache
COPY index.php /var/www/html/
ENV GREETING="Hello from"
RUN chmod a+rx index.php
EOF

docker build --tag demo:1.0.0 .

# deploy example app
kind load docker-image demo:1.0.0

# create the dev namespace
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: demo
  name: demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: demo
        image: demo:1.0.0
---
apiVersion: v1
kind: Service
metadata:
  name: demo-svc
spec:
  type: ClusterIP
  selector:
    app: demo
  ports:
  - port: 80
EOF

# deploy cert-manager
kubectl create ns cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml

# deploy cert-manager via cmctl
# TODO why does this installation fail to resolve the secret names -> causing routing failures?
# curl -sSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cmctl-linux-amd64.tar.gz
# tar xzf cmctl.tar.gz
# sudo mv cmctl /usr/local/bin
# cmctl x install # use --dry-run to see manifests

# deploy nginx ingress controller (via helm)
curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
helm repo add nginx-stable https://helm.nginx.com/stable
helm -n nginx-ingress install nginx-ingress nginx-stable/nginx-ingress --create-namespace # version=2.1.1 ????
kubectl -n nginx-ingress get po,svc

# deploy letsencrypt issuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-cluster-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory # or https://acme-staging-v02.api.letsencrypt.org/directory (see https://letsencrypt.org/docs/rate-limits/)
    email: ${email}
    privateKeySecretRef:
      name: letsencrypt-cluster-issuer-key
    solvers:
    - http01:
       ingress:
         class: nginx
EOF

# inspect letsencrypt issuer
kubectl describe clusterissuer letsencrypt-cluster-issuer

# deploy certificate
cat << EOF | kubectl -n dev apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: demo-crt
spec:
  secretName: demo-crt-secret
  dnsNames:
  - ${registered_domain}
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-cluster-issuer
EOF

# inspect certificate
kubectl -n dev describe certificate demo-crt

# deploy ingress route (which causes nginx to be reconfigured)
cat <<EOF | kubectl -n dev apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
  name: demo-ingress
spec:
  tls:
  - hosts:
    - ${registered_domain}
    secretName: demo-crt-secret
  rules:
  - host: ${registered_domain}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: demo-svc
            port:
              number: 80
EOF

# in separate terminal window
sudo su -
kubectl -n nginx-ingress --address 0.0.0.0 port-forward svc/nginx-ingress-nginx-ingress 80 443

# wait 30 seconds then test hit https://<registered_domain>/
	####################################
	# cert-manager/kind/letsencrypt demo
	####################################

	# cloudshell
	# - Navigate to: https://us-west-2.console.aws.amazon.com/cloudshell
	# - create SSM-enabled EC2 instance with ports 80/443 open
	aws cloudformation create-stack \
	--stack-name cert-manager-k8s \
	--template-url https://amcginla-public.s3.amazonaws.com/cfn/cfn-ssm-jumpbox.yaml \
	--capabilities CAPABILITY_IAM

	# open an SSM session to install tools

	# switch to superuser
	sudo su -

	# set variables
	registered_domain=mcginlay.net
	email=amcginlay@gmail.com

	# get public IP and use it to update naked DNS A record in registered domain
	curl http://ifconfig.co # <--- action required here, update DNS!

	# install docker
	yum update && yum install docker -y

	# start docker engine and check it's running
	systemctl enable docker.service
	systemctl start docker.service
	docker version

	# install kubectl
	curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" # download tool
	curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256" # download checksum
	echo "$(<kubectl.sha256) kubectl" \| sha256sum --check # confirm checksum
	sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl # install CLI
	rm -f kubectl* # dispose of installation files
	kubectl version --client

	# install kind
	curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
	chmod +x ./kind
	sudo mv ./kind /usr/local/bin/kind

	# create cluster and associated kubeconfig file
	kind create cluster --image kindest/node:v1.21.1

	# check connectivity and wait for STATUS Ready (~30 secs)
	watch kubectl get nodes

	# build example app
	cat <<EOF >./index.php
	<?php
	echo getenv("GREETING") . " " . gethostname() . "\n";
	?>
	EOF

	cat <<EOF >./Dockerfile
	FROM php:8.0.1-apache
	COPY index.php /var/www/html/
	ENV GREETING="Hello from"
	RUN chmod a+rx index.php
	EOF

	docker build --tag demo:1.0.0 .

	# deploy example app
	kind load docker-image demo:1.0.0

	# create the dev namespace
	cat <<EOF \| kubectl apply -f -
	apiVersion: v1
	kind: Namespace
	metadata:
	name: dev
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: demo
	name: demo
	spec:
	replicas: 2
	selector:
	matchLabels:
	app: demo
	template:
	metadata:
	labels:
	app: demo
	spec:
	containers:
	- name: demo
	image: demo:1.0.0
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: demo-svc
	spec:
	type: ClusterIP
	selector:
	app: demo
	ports:
	- port: 80
	EOF

	# deploy cert-manager
	kubectl create ns cert-manager
	kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml

	# deploy cert-manager via cmctl
	# TODO why does this installation fail to resolve the secret names -> causing routing failures?
	# curl -sSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cmctl-linux-amd64.tar.gz
	# tar xzf cmctl.tar.gz
	# sudo mv cmctl /usr/local/bin
	# cmctl x install # use --dry-run to see manifests

	# deploy nginx ingress controller (via helm)
	curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \| bash
	helm repo add nginx-stable https://helm.nginx.com/stable
	helm -n nginx-ingress install nginx-ingress nginx-stable/nginx-ingress --create-namespace # version=2.1.1 ????
	kubectl -n nginx-ingress get po,svc

	# deploy letsencrypt issuer
	cat <<EOF \| kubectl apply -f -
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: letsencrypt-cluster-issuer
	spec:
	acme:
	server: https://acme-v02.api.letsencrypt.org/directory # or https://acme-staging-v02.api.letsencrypt.org/directory (see https://letsencrypt.org/docs/rate-limits/)
	email: ${email}
	privateKeySecretRef:
	name: letsencrypt-cluster-issuer-key
	solvers:
	- http01:
	ingress:
	class: nginx
	EOF

	# inspect letsencrypt issuer
	kubectl describe clusterissuer letsencrypt-cluster-issuer

	# deploy certificate
	cat << EOF \| kubectl -n dev apply -f -
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: demo-crt
	spec:
	secretName: demo-crt-secret
	dnsNames:
	- ${registered_domain}
	issuerRef:
	kind: ClusterIssuer
	name: letsencrypt-cluster-issuer
	EOF

	# inspect certificate
	kubectl -n dev describe certificate demo-crt

	# deploy ingress route (which causes nginx to be reconfigured)
	cat <<EOF \| kubectl -n dev apply -f -
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	annotations:
	kubernetes.io/ingress.class: "nginx"
	name: demo-ingress
	spec:
	tls:
	- hosts:
	- ${registered_domain}
	secretName: demo-crt-secret
	rules:
	- host: ${registered_domain}
	http:
	paths:
	- path: /
	pathType: Prefix
	backend:
	service:
	name: demo-svc
	port:
	number: 80
	EOF

	# in separate terminal window
	sudo su -
	kubectl -n nginx-ingress --address 0.0.0.0 port-forward svc/nginx-ingress-nginx-ingress 80 443

	# wait 30 seconds then test hit https://<registered_domain>/