letsencrypt renewal sketch
kubectl delete secret $OBJECTNAME
kubectl delete certificate $CERTNAME_USEFQDN
kubectl delete clusterissuer $NAMECLUSTERISSUER
$SVC_CLUSTERIP
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: $NAMECLUSTERISSUER
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: $EMAIL
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: $NAMECLUSTERISSUER
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: $CERTNAME_USEFQDN
spec:
secretName: $CERTNAME_USEFQDN.prod
issuerRef:
name: prod
kind: ClusterIssuer
commonName: $CERTNAME_USEFQDN
dnsNames:
- $CERTNAME_USEFQDN
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: prod
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
generation: 2
name: nginx-ingress
spec:
rules:
- host: $CERTNAME_USEFQDN
http:
paths:
- backend:
service:
name: $SVC_CLUSTERIP
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- $CERTNAME_USEFQDN
secretName: $CERTNAME_USEFQDN.prod
Commenti
Posta un commento