Editing
Contour Ingress Controller
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Creating Certificates == To create and use a certificate for an Ingress, we have to make two changes to the Ingress" apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: httpbin annotations: cert-manager.io/cluster-issuer: letsencrypt-staging ingress.kubernetes.io/force-ssl-redirect: "true" kubernetes.io/ingress.class: contour kubernetes.io/tls-acme: "true" spec: tls: - secretName: httpbin hosts: - httpbin.davecheney.com rules: - host: httpbin.davecheney.com http: paths: - backend: serviceName: httpbin servicePort: 8080 The two changes are in the 'annotations' and in the 'spec.tls' sections. The 'annotations' give Contour the instructions to: * get the certificate from lets-encrypt (staging or prod) * tell the ingress to force all connections to this ingress to be HTTPS (redirecting HTTP as needed) * identify Contour as the ingress controller * Use the 'acme' source for getting let's encrypt certificates The spec.tls parameters specify how and where the certificate is created and stored: * kubernetes secrets in the current namespace (not the cert-manager namespace) are used to store certificates ... the name of the secret can be whatever is needed to identify the certificate * the hostnames provided are used to create the certificate The staging ClusterIssuer can be used initially, but make sure the production ClusterIssuer is specified in the final manifests when deploying. Create the Ingress by applying the manifest: kubectl apply -f <ingress manifest>.yaml As soon as the ingress is created, cert-manager will see the request and obtain the certificate as specified in the spec.tls section. It creates a new Certificate CRD to hold all the details needed to support and renew the certificates. To verify the certificate is created successfully, look at the certificate CRD (which is named the same as the secret): kubectl describe certificate <secret name> | tail -n 12 You will see the messages from the exchange with the certificate servers -- and within a few seconds, should see that the certificate was issued. At that point, accesses to the service should be forced to HTTPS and show a valid certificate issued by Let's Encrypt.
Summary:
Please note that all contributions to WilliamsNet Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
WilliamsNet Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
View history
More
Navigation
Commons
Architecture
How-To
Systems
Hardware
SysAdmin
Kubernetes
OpenSearch
Special
Pages to create
All pages
Recent changes
Random page
Help about MediaWiki
Formatting Help
Tools
What links here
Related changes
Special pages
Page information