User Tools
система_kubernetes
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
система_kubernetes [2026/02/07 18:47] val [cert-manager] |
система_kubernetes [2026/02/07 19:45] (current) val [cert-manager] |
||
|---|---|---|---|
| Line 2522: | Line 2522: | ||
| kube1:~# kubectl -n cert-manager get all | kube1:~# kubectl -n cert-manager get all | ||
| - | kube1:~/cert-manager# #kubectl create secret generic cert-manager-tsig-secret --from-literal=tsig-secret-key="s751+e/OkNNNNNN=" -n cert-manager | + | kube1:~/cert-manager# kubectl create secret generic cert-manager-tsig-secret --from-literal=tsig-secret-key="s751+e/OkNNNNNN=" -n cert-manager |
| - | kube1:~/cert-manager# cat ...issuer.yaml | + | kube1:~/cert-manager# cat freeipa-dns-clusterissuer.yaml |
| </code><code> | </code><code> | ||
| apiVersion: cert-manager.io/v1 | apiVersion: cert-manager.io/v1 | ||
| Line 2533: | Line 2533: | ||
| #name: letsencrypt-prod-clusterissuer | #name: letsencrypt-prod-clusterissuer | ||
| #name: freeipa-clusterissuer | #name: freeipa-clusterissuer | ||
| - | #name: freeipa-dns-clusterissuer | + | name: freeipa-dns-clusterissuer |
| spec: | spec: | ||
| acme: | acme: | ||
| Line 2540: | Line 2540: | ||
| #profile: tlsserver | #profile: tlsserver | ||
| - | #server: https://server.corpX.un/acme/directory | + | server: https://server.corpX.un/acme/directory |
| - | #caBundle: # cat /etc/ipa/ca.crt | base64 -w0 | + | caBundle: # cat /etc/ipa/ca.crt | base64 -w0 |
| email: student@corpX.un | email: student@corpX.un | ||
| privateKeySecretRef: | privateKeySecretRef: | ||
| - | name: ...issuer-secret | + | name: freeipa-dns-clusterissuer-secret |
| solvers: | solvers: | ||
| - | - http01: | + | # - http01: |
| - | ingress: | + | # ingress: |
| - | ingressClassName: nginx | + | # ingressClassName: nginx |
| - | #- dns01: | + | - dns01: |
| - | #rfc2136: | + | rfc2136: |
| - | #nameserver: 192.168.X.10 | + | nameserver: 192.168.X.10 |
| - | #tsigKeyName: cert-manager | + | tsigKeyName: cert-manager |
| - | #tsigAlgorithm: HMACSHA256 | + | tsigAlgorithm: HMACSHA256 |
| - | #tsigSecretSecretRef: | + | tsigSecretSecretRef: |
| - | #name: cert-manager-tsig-secret | + | name: cert-manager-tsig-secret |
| - | #key: tsig-secret-key | + | key: tsig-secret-key |
| </code><code> | </code><code> | ||
| - | kube1:~/cert-manager# kubectl apply -f ...issuer.yaml #-n my-... | + | kube1:~/cert-manager# kubectl apply -f freeipa-dns-clusterissuer.yaml #-n my-... |
| kube1:~/cert-manager# kubectl get secret -n cert-manager #-n my-... | kube1:~/cert-manager# kubectl get secret -n cert-manager #-n my-... | ||
| kube1:~/cert-manager# kubectl get clusterissuers.cert-manager.io | kube1:~/cert-manager# kubectl get clusterissuers.cert-manager.io | ||
| - | kube1:~/cert-manager# kubectl get issuers.cert-manager.io #-n my-... | + | kube1:~/cert-manager# #kubectl get issuers.cert-manager.io #-n my-... |
| NAME READY AGE | NAME READY AGE | ||
| ...issuer True 42s | ...issuer True 42s | ||
| Line 2576: | Line 2575: | ||
| 2-й способ (используется если для сайта нет ingress и негде указать annotations или для rfc2136) | 2-й способ (используется если для сайта нет ingress и негде указать annotations или для rfc2136) | ||
| <code> | <code> | ||
| - | kube1:~/...# cat my-certificate.yaml | + | kube1:~/gitlab# cat my-certificate.yaml |
| </code><code> | </code><code> | ||
| apiVersion: cert-manager.io/v1 | apiVersion: cert-manager.io/v1 | ||
| kind: Certificate | kind: Certificate | ||
| metadata: | metadata: | ||
| - | name: ...-cert | + | name: gitlab-cert |
| spec: | spec: | ||
| - | secretName: ...-tls | + | secretName: gitlab-tls |
| dnsNames: | dnsNames: | ||
| #- siteN.mgtu.ru | #- siteN.mgtu.ru | ||
| #- keycloak.corpX.un | #- keycloak.corpX.un | ||
| - | #- gitlab.corpX.un | + | - gitlab.corpX.un |
| issuerRef: | issuerRef: | ||
| - | name: ...issuer | + | name: freeipa-dns-clusterissuer |
| - | #kind: ClusterIssuer | + | kind: ClusterIssuer |
| #kind: Issuer | #kind: Issuer | ||
| privateKey: | privateKey: | ||
| rotationPolicy: Always | rotationPolicy: Always | ||
| </code><code> | </code><code> | ||
| - | kube1:~/...# kubectl apply -f my-certificate.yaml -n my-... | + | kube1:~/gitlab# kubectl apply -f my-certificate.yaml -n my-gitlab-ns |
| - | kube1:~/...# kubectl get certificate,secrets -n my-... | + | kube1:~/gitlab# kubectl get certificate,secrets -n my-gitlab-ns |
| - | kube1:~/...# kubectl events -n my-... | + | kube1:~/gitlab# kubectl events -n my-gitlab-ns |
| ... | ... | ||
| Certificate fetched from issuer successfully | Certificate fetched from issuer successfully | ||
| - | kube1:~/...# kubectl get secret ...-tls -o yaml -n my-... | + | kube1:~/gitlab# kubectl get secret gitlab-tls -o yaml -n my-gitlab-ns |
| </code> | </code> | ||
система_kubernetes.txt · Last modified: 2026/02/07 19:45 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
