- Newest
- Most votes
- Most comments
Yes, you can follow steps like these:
Step 1: Create a ClusterIssuer Create a file named cluster-issuer.yaml with the following content:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
In this example, we are creating a ClusterIssuer named letsencrypt-prod that uses the HTTP-01 challenge type for domain validation. Adjust the email field to your email address.
Apply the ClusterIssuer configuration by running the following command:
kubectl apply -f cluster-issuer.yaml
Step 2: Create a Certificate resource Create a file named certificate.yaml with the following content:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nginx-certificate
namespace: your-namespace
spec:
secretName: nginx-tls-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: example.com
dnsNames:
- example.com
In this example, we are creating a Certificate resource named nginx-certificate in the specified namespace. Adjust the commonName and dnsNames fields to match your domain name(s).
Apply the Certificate configuration by running the following command:
kubectl apply -f certificate.yaml
Step 3: Wait for the certificate to be issued You can monitor the status of the certificate issuance by running the following command:
kubectl describe certificate nginx-certificate -n your-namespace
Wait until the certificate is issued, and the status shows that it is ready.
Step 4: Create a Secret After the certificate is issued, cert-manager will automatically create a Secret containing the SSL certificates.
To use the certificates in your Nginx deployment, you need to mount the Secret as a volume. Modify your existing Nginx deployment YAML file (nginx-deployment.yaml) to add the following volume and volume mount configurations:
spec:
volumes:
- name: nginx-tls-secret
secret:
secretName: nginx-tls-secret
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
name: http
- containerPort: 443
name: https
volumeMounts:
- name: nginx-tls-secret
mountPath: /etc/nginx/ssl
readOnly: true
Replace the nginx-deployment.yaml file with the updated configuration and apply it to create or update your Nginx deployment:
kubectl apply -f nginx-deployment.yaml
With these steps, cert-manager will handle the certificate provisioning and automatic renewal. Your Nginx deployment will use the SSL certificates mounted from the Secret, enabling HTTPS access securely.
To you use HTTP between backend Kubernetes services and the AWS LoadBalancer Controller, and HTTPS between the client and the AWS LoadBalancer Controller, you need to make the following changes:
Change the alb.ingress.kubernetes.io/backend-protocol annotation in your ingress.yaml file to HTTP instead of HTTPS:
metadata:
annotations:
...
alb.ingress.kubernetes.io/backend-protocol: HTTP
...
Update the service ports in your ingress.yaml and service.yaml files to use port 80 instead of 443. This change will reflect the use of HTTP:
spec:
ports:
- name: "80"
port: 80
protocol: TCP
targetPort: 8080
You can remove the alb.ingress.kubernetes.io/backend-protocol-version annotation because it is only applicable when using HTTPS. After making these changes, you need to apply the updated configuration to your cluster. Once the changes are applied, the communication between the backend Kubernetes services and the AWS LoadBalancer Controller will use HTTP, and the communication between the client and the AWS LoadBalancer Controller will use HTTPS.
However, please note that if you access the Nginx deployment directly using HTTP, you will need to handle the TLS termination and obtain an SSL certificate for Nginx. Alternatively, you can use an ingress controller like Nginx Ingress or Traefik to handle TLS termination for you. These ingress controllers can automatically provision SSL certificates using services like Let's Encrypt.
Relevant content
- asked 10 months ago
- asked 13 days ago
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
I access the Nginx deployment directly using HTTP so I just have to create k8s resources like Certificate Managerane, ClusterIssuer, Certificate, Secret, etc, right?