Last active
March 19, 2022 11:26
-
-
Save amcginlay/bc2cafb7f295c97a10d95e31db5f7bfc to your computer and use it in GitHub Desktop.
cert-manager-kind.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#################################### | |
# cert-manager/kind/letsencrypt demo | |
#################################### | |
# cloudshell | |
# - Navigate to: https://us-west-2.console.aws.amazon.com/cloudshell | |
# - create SSM-enabled EC2 instance with ports 80/443 open | |
aws cloudformation create-stack \ | |
--stack-name cert-manager-k8s \ | |
--template-url https://amcginla-public.s3.amazonaws.com/cfn/cfn-ssm-jumpbox.yaml \ | |
--capabilities CAPABILITY_IAM | |
# open an SSM session to install tools | |
# switch to superuser | |
sudo su - | |
# set variables | |
registered_domain=mcginlay.net | |
email=amcginlay@gmail.com | |
# get public IP and use it to update naked DNS A record in registered domain | |
curl http://ifconfig.co # <--- action required here, update DNS! | |
# install docker | |
yum update && yum install docker -y | |
# start docker engine and check it's running | |
systemctl enable docker.service | |
systemctl start docker.service | |
docker version | |
# install kubectl | |
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" # download tool | |
curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256" # download checksum | |
echo "$(<kubectl.sha256) kubectl" | sha256sum --check # confirm checksum | |
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl # install CLI | |
rm -f kubectl* # dispose of installation files | |
kubectl version --client | |
# install kind | |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 | |
chmod +x ./kind | |
sudo mv ./kind /usr/local/bin/kind | |
# create cluster and associated kubeconfig file | |
kind create cluster --image kindest/node:v1.21.1 | |
# check connectivity and wait for STATUS Ready (~30 secs) | |
watch kubectl get nodes | |
# build example app | |
cat <<EOF >./index.php | |
<?php | |
echo getenv("GREETING") . " " . gethostname() . "\n"; | |
?> | |
EOF | |
cat <<EOF >./Dockerfile | |
FROM php:8.0.1-apache | |
COPY index.php /var/www/html/ | |
ENV GREETING="Hello from" | |
RUN chmod a+rx index.php | |
EOF | |
docker build --tag demo:1.0.0 . | |
# deploy example app | |
kind load docker-image demo:1.0.0 | |
# create the dev namespace | |
cat <<EOF | kubectl apply -f - | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: dev | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: demo | |
name: demo | |
spec: | |
replicas: 2 | |
selector: | |
matchLabels: | |
app: demo | |
template: | |
metadata: | |
labels: | |
app: demo | |
spec: | |
containers: | |
- name: demo | |
image: demo:1.0.0 | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: demo-svc | |
spec: | |
type: ClusterIP | |
selector: | |
app: demo | |
ports: | |
- port: 80 | |
EOF | |
# deploy cert-manager | |
kubectl create ns cert-manager | |
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml | |
# deploy cert-manager via cmctl | |
# TODO why does this installation fail to resolve the secret names -> causing routing failures? | |
# curl -sSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cmctl-linux-amd64.tar.gz | |
# tar xzf cmctl.tar.gz | |
# sudo mv cmctl /usr/local/bin | |
# cmctl x install # use --dry-run to see manifests | |
# deploy nginx ingress controller (via helm) | |
curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash | |
helm repo add nginx-stable https://helm.nginx.com/stable | |
helm -n nginx-ingress install nginx-ingress nginx-stable/nginx-ingress --create-namespace # version=2.1.1 ???? | |
kubectl -n nginx-ingress get po,svc | |
# deploy letsencrypt issuer | |
cat <<EOF | kubectl apply -f - | |
apiVersion: cert-manager.io/v1 | |
kind: ClusterIssuer | |
metadata: | |
name: letsencrypt-cluster-issuer | |
spec: | |
acme: | |
server: https://acme-v02.api.letsencrypt.org/directory # or https://acme-staging-v02.api.letsencrypt.org/directory (see https://letsencrypt.org/docs/rate-limits/) | |
email: ${email} | |
privateKeySecretRef: | |
name: letsencrypt-cluster-issuer-key | |
solvers: | |
- http01: | |
ingress: | |
class: nginx | |
EOF | |
# inspect letsencrypt issuer | |
kubectl describe clusterissuer letsencrypt-cluster-issuer | |
# deploy certificate | |
cat << EOF | kubectl -n dev apply -f - | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: demo-crt | |
spec: | |
secretName: demo-crt-secret | |
dnsNames: | |
- ${registered_domain} | |
issuerRef: | |
kind: ClusterIssuer | |
name: letsencrypt-cluster-issuer | |
EOF | |
# inspect certificate | |
kubectl -n dev describe certificate demo-crt | |
# deploy ingress route (which causes nginx to be reconfigured) | |
cat <<EOF | kubectl -n dev apply -f - | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
annotations: | |
kubernetes.io/ingress.class: "nginx" | |
name: demo-ingress | |
spec: | |
tls: | |
- hosts: | |
- ${registered_domain} | |
secretName: demo-crt-secret | |
rules: | |
- host: ${registered_domain} | |
http: | |
paths: | |
- path: / | |
pathType: Prefix | |
backend: | |
service: | |
name: demo-svc | |
port: | |
number: 80 | |
EOF | |
# in separate terminal window | |
sudo su - | |
kubectl -n nginx-ingress --address 0.0.0.0 port-forward svc/nginx-ingress-nginx-ingress 80 443 | |
# wait 30 seconds then test hit https://<registered_domain>/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment