mirror of
https://github.com/IT4Change/Ocelot-Social.git
synced 2025-12-13 07:45:56 +00:00
91 lines
3.0 KiB
Markdown
91 lines
3.0 KiB
Markdown
# Setup Ingress and HTTPS
|
|
|
|
{% tabs %}
|
|
{% tab title="Helm 3" %}
|
|
|
|
Follow [this quick start guide](https://cert-manager.io/docs/) and install certmanager via Helm 3:
|
|
|
|
## … Via Kubernetes Directly
|
|
|
|
```bash
|
|
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
|
|
```
|
|
|
|
{% endtab %}
|
|
{% tab title="Helm 2" %}
|
|
|
|
{% hint style="info" %}
|
|
CAUTION: Tiller on Helm 2 is [removed](https://helm.sh/docs/faq/#removal-of-tiller) on Helm 3, because of savety issues. So we recomment Helm 3.
|
|
{% endhint %}
|
|
|
|
Follow [this quick start guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html) and install certmanager via Helm 2 and tiller:
|
|
[This resource was also helpful](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html#installing-with-helm)
|
|
|
|
```bash
|
|
$ kubectl create serviceaccount tiller --namespace=kube-system
|
|
$ kubectl create clusterrolebinding tiller-admin --serviceaccount=kube-system:tiller --clusterrole=cluster-admin
|
|
$ helm init --service-account=tiller
|
|
$ helm repo add jetstack https://charts.jetstack.io
|
|
$ helm repo update
|
|
$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
|
|
$ helm install --name cert-manager --namespace cert-manager --version v0.11.0 jetstack/cert-manager
|
|
```
|
|
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
## Create Letsencrypt Issuers and Ingress Services
|
|
|
|
Copy the configuration templates and change the file according to your needs.
|
|
|
|
```bash
|
|
# in folder deployment/digital-ocean/https/
|
|
cp templates/issuer.template.yaml ./issuer.yaml
|
|
cp templates/ingress.template.yaml ./ingress.yaml
|
|
```
|
|
|
|
At least, **change email addresses** in `issuer.yaml`. For sure you also want
|
|
to _change the domain name_ in `ingress.yaml`.
|
|
|
|
Once you are done, apply the configuration:
|
|
|
|
```bash
|
|
# in folder deployment/digital-ocean/https/
|
|
$ kubectl apply -f .
|
|
```
|
|
|
|
By now, your cluster should have a load balancer assigned with an external IP
|
|
address. On Digital Ocean, this is how it should look like:
|
|
|
|
|
|
|
|
Check the ingress server is working correctly:
|
|
|
|
```bash
|
|
$ curl -kivL -H 'Host: <DOMAIN_NAME>' 'https://<IP_ADDRESS>'
|
|
```
|
|
|
|
If the response looks good, configure your domain registrar for the new IP address and the domain.
|
|
|
|
Now let's get a valid HTTPS certificate. According to the tutorial above, check your tls certificate for staging:
|
|
|
|
```bash
|
|
$ kubectl describe -n ocelot-social certificate tls
|
|
$ kubectl describe -n ocelot-social secret tls
|
|
```
|
|
|
|
If everything looks good, update the issuer of your ingress. Change the annotation `cert-manager.io/issuer` from `letsencrypt-staging` (for testing without getting a real certificate) to `letsencrypt-prod` (for production) in your ingress configuration in `ingress.yaml`.
|
|
|
|
```bash
|
|
# in folder deployment/digital-ocean/https/
|
|
$ kubectl apply -f ingress.yaml
|
|
```
|
|
|
|
Delete the former secret to force a refresh:
|
|
|
|
```text
|
|
$ kubectl -n ocelot-social delete secret tls
|
|
```
|
|
|
|
Now, HTTPS should be configured on your domain. Congrats.
|