K8s – cert-manager in private network ve DNS01 authorization

Cert Manager Kurulumu
IONOS application kurulumu ayarlanmasi
ClusterIssuer kurulumu
Sertifika olustur

1. Cert-Manager Kurulumu

Helm reposunun eklenmesi

helm repo add jetstack https://charts.jetstack.io
helm repo update

Sonra deploy ediyoruz

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.17.2 \
  --set crds.enabled=true \
  --set 'extraArgs={--dns01-recursive-nameservers-only,--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}'

Burada extraArgs DNS kontrolü icin kendi internal DNS e danismasin diye.

2. IONOS application kurulumu ayarlanmasi

Takiben ionos un (benim bu domainim su anda ionos altinda) DNS sisteminden aldigim keyleri secret olarak kubernetes e atiyorum.

---
apiVersion: v1
kind: Secret
metadata:
  name: ionos-ssl-secret
  namespace: cert-manager
type: Opaque
data:
  IONOS_PUBLIC_PREFIX: Mjc5MDM1NrtzTMKIzNDYgM2E4ZjkxNDk4NzE5ZmZlMzk=
  IONOS_SECRET: Z2N5SVhPZFp6M0RT4KN3NVk1Mnk1OWI0YmZLckFnVzJUcmJhdzVyTThibnNybFpqdER0ODFBdUx4YnAtdZAMBKLRTlhtZF96QWthd3NmVzNfSzdlT1E=

kubectl apply -f ionos-secret.yaml -n cert-manager

IONOS’un gerekli webhook vs applicationlarini da atiyorum. Bu gerekli cünkü ionos ile iletisimi sagliyorlar.

helm repo add cert-manager-webhook-ionos https://fabmade.github.io/cert-manager-webhook-ionos
helm install cert-manager-webhook-ionos cert-manager-webhook-ionos/cert-manager-webhook-ionos -n cert-manager

3. ClusterIssuer kurulumu

Simdi artik cluster a bir adet ClusterIssuer ekliyoruz.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-ionos-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: can@can.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-ionos-prod
    # Enable the dns01 challenge provider
    solvers:
      - dns01:
          webhook:
            groupName: acme.fabmade.de
            solverName: ionos
            config:
              apiUrl: https://api.hosting.ionos.com/dns/v1
              publicKeySecretRef:
                key: IONOS_PUBLIC_PREFIX
                name: ionos-ssl-secret
              secretKeySecretRef:
                key: IONOS_SECRET
                name: ionos-ssl-secret

4. Sertifika olustur

---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: certificate-argocd
   namespace: argocd
 spec:
   secretName: certificate-argocd
   issuerRef:
     name: letsencrypt-ionos-prod
     kind: ClusterIssuer
   dnsNames:
     - argocd.buyukburc.de

Burada SecretName ile belirtilen sey aslinda sertifika. SSL sertifikasi bir secret olarak saklaniyor ve kullanirken bunu refere ediyoruz.

Ingress te kullanimi

apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
  name: "argocd-ingress"
  namespace: "argocd"
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'
    nginx.ingress.kubernetes.io/proxy-body-size: 0m
    cert-manager.io/cluster-issuer: "letsencrypt-ionos-prod"
spec:
  ingressClassName: "nginx"
  tls:
    - hosts:
      - "argocd.buyukburc.de"
      secretName: "certificate-argocd"
  rules:
    - host: "argocd.buyukburc.de"
      http:
        paths:
          - pathType: "Prefix"
            path: "/"
            backend:
              service:
                name: "argocd-server"
                port:
                  number: 443