Sunday, July 5, 2020

how to implement the lets encrypt using dns01 challenge ?

step 1 : create namespace 

kubectl create ns  kaushik

step2:  create secret with name  azuredns-config and  value client-secret 

 kubectl create secret generic azuredns-config --from-literal=client-secret="" -n kaushik

step3:  create nginx-ingress controller 

helm install --name nginx stable/nginx-ingress --namespace kaushik

step4: create a record set in the existing hosted zone 

az network dns record-set a add-record --resource-group kaushik-rg  --zone-name kaushik.net --record-set-name 'kou' --ipv4-address 12.34.56.78

step5: Install cert-manager 

 kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml -n kaushik

kubectl label namespace kaushik cert-manager.io/disable-validation=true

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install --name cert-manager --namespace kaushik --version v0.13.0 jetstack/cert-manager

step6: dnsissuer

cat dnsissuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: kaushik
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # ACME DNS-01 provider configurations
    solvers:
    - dns01:
        azuredns:
          clientID: *************************************
          clientSecretSecretRef:
            name: azuredns-config
            key: client-secret
          subscriptionID: ***************************
          tenantID: ******************************
          resourceGroupName: kaushik-rg
          hostedZoneName: kaushik.net
          environment: AzurePublicCloud

command :  kubectl apply -f dnsissuer.yaml -n kaushik

Test the example application using the letsencrypt 

step7: 

helm repo add bootc https://charts.boo.tc

helm install --name my-release bootc/netbox --namespace kaushik


step8: create an ingress object in the same namespace

 cat ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: kaushik
  name: my-release-netbox
spec:
  tls:
    - hosts:
      -  kou.kaushik.net
      secretName: tls-secret
  rules:
    - host: kou.kaushik.net
      http:
        paths:
          - backend:
              serviceName: my-release-netbox
              servicePort: http

command :  kubectl apply -f ingress.yaml -n kaushik


how to verify ?

In the Azure DNS Zones,

two record sets will be created,

 kou.kaushik.net
_acme-challenge.kou


references:

https://docs.microsoft.com/en-us/azure/aks/ingress-tls

https://dev.to/mimetis/using-dns01-challenge-and-let-s-encrypt-to-secure-your-aks-kubernetes-cluster-5g42

https://github.com/bootc/netbox-chart













Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)