GKE — Issuer DNS01

 

В качестве DNS Provider'а будет выступать GCP.

 

YOUR_GCP_PROJECT — Замените на имя своего GCP проекта

 

Создаем аккаунт:

gcloud iam service-accounts create dns01-solver \
 --display-name "dns01-solver"

 

Предоставляем ему доступ к DNS сервису:

gcloud projects add-iam-policy-binding YOUR_GCP_PROJECT \
 --member serviceAccount:[email protected]_GCP_PROJECT.iam.gserviceaccount.com \
 --role roles/dns.

 

Генерируем ключ:

gcloud iam service-accounts keys create key.json \
 --iam-account [email protected]_GCP_PROJECT.iam.gserviceaccount.com

 

Создаем секрет на основе сгенерированного ключа:

kubectl create secret generic clouddns-dns01-solver-svc-acct -n cert-manager \
 --from-file=key.json

 

Создаем 2 YAML файла для ClusterIssuer.

 

letsencrypt-staging.yml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        clouddns:
          # The ID of the GCP project
          project: YOUR_GCP_PROJECT
          # This is the secret used to access the service account
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-svc-acct
            key: key.json

 

letsencrypt-production.yml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    # This will register an issuer with LetsEncrypt.  Replace
    # with your admin email address.
    email: [email protected]
    privateKeySecretRef:
      # Set privateKeySecretRef to any unused secret name.
      name: letsencrypt-production
    dns01:
      providers:
      - name: dns
        clouddns:
          # Set this to your GCP project-id
          project: YOUR_GCP_PROJECT
          # Set this to the secret that we publish our service account key
          # in the previous step.
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-svc-acct
            key: key.json

 

Не забываем указать имя своего GCP проекта и почтовый ящик.

 

Создаем ClusterIssuer:

kubectl create -f letsencrypt-staging.yml
kubectl create -f letsencrypt-production.yml

 

 

Пример Ingress'а:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-production
    certmanager.k8s.io/acme-challenge-type: dns01
    certmanager.k8s.io/acme-dns01-provider: dns
  name: artem-service-ing
  namespace: staging
spec:
  tls:
  - hosts:
    - artem.services
    secretName: artem.services-tls
  rules:
  - host: artem.services
    http:
      paths:
      - path: /
        backend:
          serviceName: artem-services-svc
          servicePort: 80

 

artem-services-svc — имя сервиса
80 — порт сервиса

0 0 vote
Рейтинг статьи

Метки: Метки

Подписаться
Уведомление о
guest
0 комментариев
Inline Feedbacks
View all comments