How to deploy a letsencryp with cert-manager and HAProxy-ingress How to deploy a letsencryp with cert-manager and HAProxy-ingress kubernetes kubernetes

How to deploy a letsencryp with cert-manager and HAProxy-ingress


kubernetes lets-encrypt haproxy-ingress

you can try installing cert manager provided by jetstack, can be found here and then you need to follow the steps mentioned in this stackoverflow post and this will get things sorted for you.

An internal acme-challenge will be done by cert manager and once you patch the secret name, mentioned in the certificate to the TLS of ingress then certificate status will get ready state, Note that the secret will get created automatically, you need not create it

kubernetes lets-encrypt haproxy-ingress

  1. Deploy Certmanager with:

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml

  2. Deploy a ClusterIssuer (cluster issuers are namespace agnostic)

cat > prod-issuer.yaml <<EOFapiVersion: cert-manager.io/v1kind: ClusterIssuermetadata:  name: letsencrypt-prodspec:  acme:    server: https://acme-v02.api.letsencrypt.org/directory    email: email@example.com    privateKeySecretRef:      name: letsencrypt-prod    solvers:    - http01:        ingress:          class: haproxyEOF

Apply the cluster issuer with kubectl apply -f prod-issuer.yaml

  1. Create an Ingress Resource (namespace gnostic, this example is using Nginx backend service)
cat > nginx-ingress.yaml <<EOFapiVersion: networking.k8s.io/v1kind: Ingressmetadata:  name: nginx-router  namespace: production  annotations:    kubernetes.io/ingress.class: "haproxy"    cert-manager.io/cluster-issuer: "letsencrypt-prod"spec:  tls:  - hosts:    - "example.com"    secretName: nginx-tls-secret  rules:  - host: example.com    http:      paths:      - pathType: ImplementationSpecific        path: "/"        backend:          service:            name: nginx            port:               number: 80  - host: www.example.com    http:      paths:      - pathType: ImplementationSpecific        path: "/"        backend:          service:            name: nginx            port:               number: 80EOF

Apply the ingress recourse with kubectl apply -f nginx-ingress.yaml

The important piece of information here, is that the Haproxy controller does NOT need the annotation acme.cert-manager.io/http01-edit-in-place: "true"that nginx-ingress controller does. It works as expected without any extra annotations.When you apply the Ingress Resourse to the cluster, the certificate will be issued in 1-2 minutes tops.Use kubectl describe certificate nginx-tls-secret -n production to check the status of the certificate, and look at the event to get the certificate.

For more debugging info incase something went wrong, refer here https://cert-manager.io/docs/faq/acme/

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last