Last active
July 11, 2023 08:16
-
-
Save haproxytechblog/100123e60482c6cee968ba9353ad232f to your computer and use it in GitHub Desktop.
Enable TLS with Let's Encrypt and the HAProxy Kubernetes Ingress Controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm repo add haproxytech https://haproxytech.github.io/helm-charts | |
$ helm repo update | |
$ helm install haproxy haproxytech/kubernetes-ingress |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get service | |
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | |
haproxy-kubernetes-ingress NodePort 10.101.232.155 <none> 80:32371/TCP,443:30110/TCP,1024:32052/TCP 21h |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm install haproxy haproxytech/kubernetes-ingress \ | |
--set controller.service.nodePorts.http=30000 \ | |
--set controller.service.nodePorts.https=30001 \ | |
--set controller.service.nodePorts.stat=30002 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm install haproxy haproxytech/kubernetes-ingress \ | |
--set controller.kind=DaemonSet | |
--set controller.daemonset.useHostPort=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm install haproxy haproxytech/kubernetes-ingress \ | |
--set controller.service.type=LoadBalancer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get secret | |
NAME TYPE DATA AGE | |
haproxy-kubernetes-ingress-default-cert kubernetes.io/tls 2 2m22s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get secret haproxy-kubernetes-ingress-default-cert -o yaml | |
apiVersion: v1 | |
data: | |
tls.crt: ABCDEFG123456... | |
tls.key: ABCDEFG123456... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ openssl req -x509 \ | |
-newkey rsa:2048 \ | |
-keyout test.local.key \ | |
-out test.local.crt \ | |
-days 365 \ | |
-nodes \ | |
-subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=test.local" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl create secret tls test-cert \ | |
--key="test.local.key" \ | |
--cert="test.local.crt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: haproxy-kubernetes-ingress | |
namespace: haproxy-controller | |
data: | |
ssl-certificate: "default/test-cert" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ openssl req -x509 \ | |
-newkey rsa:2048 \ | |
-keyout api.test.local.key \ | |
-out api.test.local.crt \ | |
-days 365 \ | |
-nodes \ | |
-subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=api.test.com" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl create secret tls api-test-cert \ | |
--key="api.test.local.key" \ | |
--cert="api.test.local.crt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1beta1 | |
kind: Ingress | |
metadata: | |
name: api-ingress | |
namespace: default | |
spec: | |
rules: | |
- host: api.test.local | |
http: | |
paths: | |
- path: / | |
backend: | |
serviceName: api-service | |
servicePort: 80 | |
tls: | |
- secretName: api-test-cert | |
hosts: | |
- api.test.local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl apply \ | |
-f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: cert-manager.io/v1 | |
kind: ClusterIssuer | |
metadata: | |
name: letsencrypt-staging | |
spec: | |
acme: | |
email: myemail@company.com | |
server: https://acme-staging-v02.api.letsencrypt.org/directory | |
privateKeySecretRef: | |
# Secret used to store the account's private key. | |
name: example-issuer-account-key | |
# Add a ACME HTTP01 challenge solver | |
solvers: | |
- http01: | |
ingress: | |
ingressClassName: haproxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
annotations: | |
# add an annotation indicating the issuer to use | |
cert-manager.io/cluster-issuer: letsencrypt-staging | |
name: mysite-ingress | |
namespace: default | |
spec: | |
ingressClassName: haproxy | |
rules: | |
- host: mysite.com | |
http: | |
paths: | |
- path: / | |
pathType: Prefix | |
backend: | |
service: | |
name: mysite-service | |
port: | |
number: 80 | |
tls: | |
- # cert-manager will store the certificate and key in this secret | |
secretName: mysite-cert | |
hosts: | |
- mysite.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl logs -f <cert-manager-pod> -n cert-manager |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment