GKE – Issuer DNS01

ArtemLeave a comment on GKE – Issuer DNS01GCP

 

GCP will be the DNS provider.

 

YOUR_GCP_PROJECTReplace with the name of your GCP project

 

Create an account:

gcloud iam service-accounts create dns01-solver \
 --display-name "dns01-solver"

 

We give him access to the DNS service:

gcloud projects add-iam-policy-binding YOUR_GCP_PROJECT \
 --member serviceAccount:dns01-solver@YOUR_GCP_PROJECT.iam.gserviceaccount.com \
 --role roles/dns.

 

We generate the key:

gcloud iam service-accounts keys create key.json \
 --iam-account dns01-solver@YOUR_GCP_PROJECT.iam.gserviceaccount.com

 

Create a secret based on the generated key:

kubectl create secret generic clouddns-dns01-solver-svc-acct -n cert-manager \
 --from-file=key.json

 

Create 2 YAML files for ClusterIssuer.

 

letsencrypt-staging.yml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        clouddns:
          # The ID of the GCP project
          project: YOUR_GCP_PROJECT
          # This is the secret used to access the service account
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-svc-acct
            key: key.json

 

letsencrypt-production.yml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    # This will register an issuer with LetsEncrypt.  Replace
    # with your admin email address.
    email: [email protected]
    privateKeySecretRef:
      # Set privateKeySecretRef to any unused secret name.
      name: letsencrypt-production
    dns01:
      providers:
      - name: dns
        clouddns:
          # Set this to your GCP project-id
          project: YOUR_GCP_PROJECT
          # Set this to the secret that we publish our service account key
          # in the previous step.
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-svc-acct
            key: key.json

 

Do not forget to specify the name of your GCP project and mailbox.

 

Create a ClusterIssuer:

kubectl create -f letsencrypt-staging.yml
kubectl create -f letsencrypt-production.yml

 

 

Ingress example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-production
    certmanager.k8s.io/acme-challenge-type: dns01
    certmanager.k8s.io/acme-dns01-provider: dns
  name: artem-service-ing
  namespace: staging
spec:
  tls:
  - hosts:
    - artem.services
    secretName: artem.services-tls
  rules:
  - host: artem.services
    http:
      paths:
      - path: /
        backend:
          serviceName: artem-services-svc
          servicePort: 80

 

artem-services-svcservice name
80service port

Tagged: Tags

Related Posts

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments