INDEX
########################################################### 2024-01-15 13:50 ########################################################### That Devops Guy... Let's Encrypt https://www.youtube.com/watch?v=jrR_WfgmWEw Often need to reload certificates across many services repeatedly - can you automate it? Domain validation is proving you own a domain (manage its DNS) - certs are there to prove this docker run -it -p 80:80 nginx # Run a basic nginx web server curl ifconfig.co # Get your current public IP (or use local) - can access web on that IP On google domains, DNS, add record for a domain name: "@ A 1h IP_ADDRESS" - then save Look at certbot documentation - as very clear on how to do this in different contexts # Dockerfile FROM debian:buster RUN apt-get update -y && apt-get install -y certbot docker build . -t certbot docker run -it --rm --name certbot -v ${PWD}:/letsencrypt \ -v ${PWD}/certs:/etc/letsencrypt certbot bash # Open shell running certbot # /letsencrypt is a shared folder for certbot to output results to - just have 1 certbot # /etc/letsencrypt stores certificates persistently when generated Now set nginx to use certbot certificates # (extending) nginx.conf server { listen 80 location /.well-known/acme-challenge/ { root /letsencrypt/; # So certbot challenges are saved in a public folder } ... } docker run -it --rm --name nginx -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \ -v ${PWD}:/letsencrypt -v ${PWD}/certs:/etc/letsencrypt \ -p 80:80 -p 443:443 nginx # Go back into certbot container and configure certbot certonly --webroot # Answer prompts - and save to /letsencrypt # Now tell nginx to turn on ssl # (extending nginx.conf) server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name marcel.guru; ssl_certificate /etc/letsencrypt/live/marcel.guru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/marcel.guru/privkey.pem; root /usr/share/nginx/html/; location / { gzip off; root /usr/share/nginx/html/; index index.html; } } Can automatically renew certificates with a cronjob that just runs "certbot renew" certbot renew --dry-run # Test if building properly docker exec --it nginx sh -c "nginx -s reload" # Softly reload nginx after cert renewal
That Devops Guy... Free SSL for Kubernetes https://www.youtube.com/watch?v=hoLUigg4V18 Usually have separate certificates per namespace - hard to manage that many Cert-manager is a K8 addon for TLS certificates: links issuers to certs and secret stores kind create cluster --name certmanager --image kindest/node:v1.19.1 curl -LO CERTMANAGER_URL kubectl create ns cert-manager; kubectl apply --validate=false -f cert-manager.yaml kubectl -n cert-manager get all # See if set up correctly Issuer definitions point to certificate authorities and certificates we use kubectl create ns cert-manager-test # selfsigned/issuer.yaml apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: test-selfsigned namespace: cert-manager-test spec: selfSigned: {} # Define an empty self signed issuer # selfsigned/certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: selfsigned-cert namespace: cert-manager-test spec: dnsNames: - example.com secretName: selfsigned-cert-tls # What secret to store this in issuerRef: name: test-selfsigned # Use the issuer defined above kubectl apply -f ./selfsigned/issuer.yaml kubectl apply -f ./selfsigned/certificate.yaml # Generates a certificate kubectl describe certificate -n cert-manager-test # Can see specs about it kubectl get secrets -n cert-manager-test # Can see a selfsigned tls certificate Can use many different types of issues (e.g. Vault, CA, ACME) Ingress controller should be able to manage these keys - e.g. nginx kubectl create ns ingress-nginx # Deploy nginx ingress controller kubectl -n ingress-nginx get svc # See load balancer is running kubectl -n ingress-nginx --address 0.0.0.0 port-forward svc/ingress-nginx-controller 80 # Repeat the same for 443 curl ifconfig.go # Get public IP - add to google DNS - but now ingress controller is public # cert-manager/cert-issuer-nginx-ingress.yaml apiVersion: cert-manaer.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-cluster-issuer spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: EMAIL_ADDR privateKeySecretRef: name: letsencrypt-cluster-issuer-key solvers: - http01: # Use a http solver ingress: class: nginx kubectl apply -f cert-issuer-nginx-ingress.yaml kubectl describe clusterissuer letsencrypt-cluster-issuer # Check if issuer is running Deploy a website deployment with a service - then expose with an ingress # cert-manager/ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: "nginx" name: example-app spec: tls: - hosts: - marcel.guru secretName: example-app-tls # Point to SSL certificate rules: - host: marcel.guru http: paths: - path: / pathType: Prefix backend: service: name: example-service # Point / to service on port 80 port: number: 80 # Need to deploy a certificate for this website to use # cert-manager/certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-app namespace: default spec: dnsNames: - marcel-guru secretname: example-app-tls issuerRef: name: letsencrypt-cluster-issuer kind: ClusterIssuer # Deploy this and now the website uses tls Cert-manager watches these certiicates and updates them when necessary