Last active
November 27, 2022 13:42
-
-
Save rdpetrusek/458c0952d5dfdbca81e0eb94ea846963 to your computer and use it in GitHub Desktop.
Kubernetes, Istio, Cert Manager, and Let's Encrypt - complete
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # https://cert-manager.io/docs/installation/ | |
| helm repo add jetstack https://charts.jetstack.io | |
| sleep 30 | |
| helm repo update | |
| sleep 30 | |
| helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.5.3 --set installCRDs=true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # https://istio.io/latest/docs/setup/install/helm/ | |
| kubectl create namespace istio-system | |
| helm install istio-base manifests/charts/base -n istio-system | |
| sleep 5 | |
| helm install istiod manifests/charts/istio-control/istio-discovery -n istio-system | |
| sleep 5 | |
| helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: deanpetrusek-domain-cert-prod | |
| namespace: istio-system | |
| spec: | |
| # Secret names are always required. | |
| secretName: deanpetrusek-domain-cert-prod | |
| duration: 2160h # 90d | |
| renewBefore: 360h # 15d | |
| subject: | |
| organizations: | |
| - jetstack | |
| isCA: false | |
| privateKey: | |
| algorithm: RSA | |
| encoding: PKCS1 | |
| size: 2048 | |
| usages: | |
| - server auth | |
| - client auth | |
| dnsNames: | |
| - "www.deanpetrusek.cloud" | |
| - "fx.deanpetrusek.cloud" | |
| - "testpage.deanpetrusek.cloud" | |
| issuerRef: | |
| name: letsencrypt-prod-cluster | |
| kind: ClusterIssuer | |
| group: cert-manager.io |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: cert-manager.io/v1 | |
| kind: ClusterIssuer | |
| metadata: | |
| name: letsencrypt-prod-cluster | |
| namespace: istio-system | |
| spec: | |
| acme: | |
| email: [email protected] | |
| server: https://acme-v02.api.letsencrypt.org/directory | |
| privateKeySecretRef: | |
| name: letsencrypt-prod-cluster | |
| solvers: | |
| - http01: | |
| ingress: | |
| class: istio |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: certtest-gateway-prod | |
| namespace: istio-system | |
| spec: | |
| selector: | |
| istio: ingressgateway | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "deanpetrusek.cloud" | |
| - port: | |
| number: 443 | |
| name: https | |
| protocol: HTTPS | |
| tls: | |
| mode: SIMPLE | |
| credentialName: deanpetrusek-domain-cert-prod | |
| hosts: | |
| - "www.deanpetrusek.cloud" | |
| - "fx.deanpetrusek.cloud" | |
| - "testpage.deanpetrusek.cloud" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: deanpetrusek-domain-cert-staging | |
| namespace: istio-system | |
| spec: | |
| # Secret names are always required. | |
| secretName: deanpetrusek-domain-cert-staging | |
| duration: 2160h # 90d | |
| renewBefore: 360h # 15d | |
| subject: | |
| organizations: | |
| - jetstack | |
| isCA: false | |
| privateKey: | |
| algorithm: RSA | |
| encoding: PKCS1 | |
| size: 2048 | |
| usages: | |
| - server auth | |
| - client auth | |
| # At least one of a DNS Name, URI, or IP address is required. | |
| dnsNames: | |
| - "certstaging.deanpetrusek.cloud" | |
| # Issuer references are always required. | |
| issuerRef: | |
| name: letsencrypt-staging-cluster | |
| # We can reference ClusterIssuers by changing the kind here. | |
| # The default value is Issuer (i.e. a locally namespaced Issuer) | |
| kind: ClusterIssuer | |
| # This is optional since cert-manager will default to this value however | |
| # if you are using an external issuer, change this to that issuer group. | |
| group: cert-manager.io |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: cert-manager.io/v1 | |
| kind: ClusterIssuer | |
| metadata: | |
| name: letsencrypt-staging-cluster | |
| namespace: istio-system | |
| spec: | |
| acme: | |
| email: [email protected] | |
| server: https://acme-staging-v02.api.letsencrypt.org/directory | |
| privateKeySecretRef: | |
| name: letsencrypt-staging-cluster | |
| solvers: | |
| - http01: | |
| ingress: | |
| class: istio |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: certtest-gateway-staging | |
| namespace: istio-system | |
| spec: | |
| selector: | |
| istio: ingressgateway | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "certstaging.deanpetrusek.cloud" | |
| - port: | |
| number: 443 | |
| name: https | |
| protocol: HTTPS | |
| tls: | |
| mode: SIMPLE | |
| credentialName: deanpetrusek-domain-cert-staging | |
| hosts: | |
| - "certstaging.deanpetrusek.cloud" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: certtest-virtual-service | |
| namespace: default | |
| spec: | |
| hosts: | |
| - "certstaging.deanpetrusek.cloud" | |
| gateways: | |
| - istio-system/certtest-gateway-staging | |
| http: | |
| - match: | |
| - uri: | |
| exact: / | |
| route: | |
| - destination: | |
| host: testpage | |
| port: | |
| number: 8080 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment