- TLS Domain on Kubernetes
- Kubernetes 1.19+
- Helm 3.2.0+
- Longhorn
- Public IP 1EA
- domain 1EA
helm repo add longhorn https://charts.longhorn.io
helm repo update
mkdir -p /data/longhorn
helm install longhorn longhorn/longhorn \
--create-namespace \
--namespace longhorn-system \
--set defaultSettings.defaultDataPath="/data/longhorn" \
--set defaultSettings.defaultDataLocality="best-effort"
kubectl patch storageclass longhorn -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
helm repo add metallb https://metallb.github.io/metallb
helm repo update
kubectl get configmap kube-proxy -n kube-system -o yaml | \
sed -e "s/strictARP: false/strictARP: true/" | \
kubectl apply -f - -n kube-system
kubectl rollout restart -n kube-system daemonset kube-proxy
helm install metallb metallb/metallb \
--create-namespace \
--namespace metallb-system \
--version 0.13.6
internal_ip="$(hostname -I | awk {'print $1'})"
public_ip="$(curl ifconfig.me --silent)"
cat <<EOF | kubectl apply -f -
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: production-public-ips
namespace: metallb-system
spec:
addresses:
- ${internal_ip}/32
autoAssign: false
EOF
중간에 IP 변경 시, kubectl rollout restart deployment/metallb-controller -n metallb-system
kubectl annotate service 서비스명 -n 네임스페이스명 "metallb.universe.tf/address-pool=production-public-ips"
instance_public_ip="$(curl ifconfig.me --silent)"
kubectl annotate service 서비스명 -n 네임스페이스명 "metallb.universe.tf/allow-shared-ip=key-to-share-${instance_public_ip}"
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
// nginx-ingress == kubernetes-ingress
helm install nginx-ingress nginx-stable/nginx-ingress \
--create-namespace \
--namespace ingress
kubectl annotate service nginx-ingress-nginx-ingress -n ingress "metallb.universe.tf/address-pool=production-public-ips"
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--create-namespace \
--namespace cert-manager \
--set installCRDs=true
_EMAIL="taking@duck.com"
cat <<EOF > cluster-issuer-http.yaml
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: ${_EMAIL}
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: ${_EMAIL}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
kubectl apply -f cluster-issuer-http.yaml
_EMAIL="taking@duck.com"
_CF_EMAIL="taking@duck.com"
_CF_APIKEY="API KEY"
cat <<EOF > cluster-issuer-dns.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key-secret
namespace: cert-manager
type: Opaque
stringData:
api-key: ${_CF_APIKEY}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: ${_EMAIL}
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
cloudflare:
email: ${_CF_EMAIL}
apiKeySecretRef:
name: cloudflare-api-key-secret
key: api-key
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: ${_EMAIL}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudflare:
email: ${_CF_EMAIL}
apiKeySecretRef:
name: cloudflare-api-key-secret
key: api-key
- http01:
ingress:
class: nginx
EOF
kubectl apply -f cluster-issuer-dns.yaml
_DOMAIN="dev-t-xyz"
cat <<EOF | kubectl apply -f -
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ${_DOMAIN}-certificate
namespace: default
spec:
dnsNames:
- "*.dev-t.xyz"
secretName: ${_DOMAIN}-domain-tls
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-staging
EOF