Differences

This shows you the differences between two versions of the page.

--- система_kubernetes [2025/12/25 17:00]
val [Ingress]
+++ система_kubernetes [2025/12/26 06:31] (current)
val
@@ Line 1288: / Line 1288: @@
 $ ###kubectl delete secret/gowebd-tls -n my-ns
 </code>
-=== cert-manager ===
-  * [[Letsencrypt Certbot]]
-  * [[https://cert-manager.io/docs/installation/|cert-manager Installation]]
-  * [[https://cert-manager.io/docs/tutorials/acme/nginx-ingress/|cert-manager Securing NGINX-ingress]]
-  * [[https://debuntu.ru/manuals/kubernetes/tls-kerberos-in-kubernetes/cert-manager_and_all_about_it/installing-configuring-cert-manager/|debuntu.ru Установка и настройка cert-manager]]
-  * [[https://habr.com/ru/companies/nubes/articles/808035/|Автоматический выпуск SSL-сертификатов. Используем Kubernetes и FreeIPA]]
-  * [[https://cert-manager.io/docs/configuration/acme/#private-acme-servers|Private ACME Servers]]
-<code>
-student@vps:~$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.1/cert-manager.yaml
-student@vps:~$ kubectl -n cert-manager get all
-student@vps:~$ cat ...issuer.yaml
-</code><code>
-apiVersion: cert-manager.io/v1
-#kind: Issuer
-kind: ClusterIssuer
-metadata:
-  #name: letsencrypt-staging-clusterissuer
-  #name: letsencrypt-prod-clusterissuer
-  #name: freeipa-clusterissuer
-spec:
-  acme:
-    #server: https://acme-staging-v02.api.letsencrypt.org/directory
-    #server: https://acme-v02.api.letsencrypt.org/directory
-    #profile: tlsserver
-    #server: https://server.corpX.un/acme/directory
-    #caBundle: # cat /etc/ipa/ca.crt | base64 -w0
-    email: student@corpX.un
-    privateKeySecretRef:
-      name: ...issuer-secret
-    solvers:
-    - http01:
-        ingress:
-          ingressClassName: nginx
-    #- dns01:
-        #rfc2136:
-          #nameserver: 172.19.32.2
-          #tsigKeyName: certbot.anysite
-          #tsigAlgorithm: HMACSHA512
-          #tsigSecretSecretRef:
-            #name: anysite-tsig-secret
-            #key: tsig-secret-key
-</code><code>
-student@vps:~$ kubectl apply -f ...issuer.yaml #-n my-ns
-student@vps:~$ kubectl get secret -n cert-manager #-n my-ns
-student@vps:~/pywebd-k8s$ kubectl -n my-pywebd-ns create secret generic anysite-tsig-secret --from-literal=tsig-secret-key="NNN...NNN"
-</code>
-  * Запустить выпуск сертификата можно 2-мя способами:
--й способ: annotations в [[#ingress example]]
--й способ (используется если для сайта нет ingress и негде указать annotations или для rfc2136)
-<code>
-student@vps:~/webd-k8s$ cat my-certificate.yaml
-</code><code>
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: webd-cert
-spec:
-  secretName: webd-tls
-  dnsNames:
-    - siteN.mgtu.ru
-  issuerRef:
-    name: ...issuer
-    #kind: ClusterIssuer
-    #kind: Issuer
-</code>
-<code>
-student@vps:~$ kubectl -n my-ns get certificate,secrets
-student@vps:~$ kubectl -n my-ns events
-...
-Certificate fetched from issuer successfully
-student@vps:~$ kubectl -n my-ns get secret webd-tls -o yaml
-</code>
 ==== Volumes ====
@@ Line 2574: / Line 2488: @@
   ИЛИ
 kube1:~/users# kubectl delete clusterrolebindings user1-cluster-admin
+</code>
+===== cert-manager =====
+  * [[Letsencrypt Certbot]]
+  * [[https://cert-manager.io/docs/installation/|cert-manager Installation]]
+  * [[https://cert-manager.io/docs/tutorials/acme/nginx-ingress/|cert-manager Securing NGINX-ingress]]
+  * [[https://debuntu.ru/manuals/kubernetes/tls-kerberos-in-kubernetes/cert-manager_and_all_about_it/installing-configuring-cert-manager/|debuntu.ru Установка и настройка cert-manager]]
+  * [[https://habr.com/ru/companies/nubes/articles/808035/|Автоматический выпуск SSL-сертификатов. Используем Kubernetes и FreeIPA]]
+  * [[https://cert-manager.io/docs/configuration/acme/#private-acme-servers|Private ACME Servers]]
+<code>
+student@vps:~$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.1/cert-manager.yaml
+student@vps:~$ kubectl -n cert-manager get all
+student@vps:~$ cat ...issuer.yaml
+</code><code>
+apiVersion: cert-manager.io/v1
+#kind: Issuer
+kind: ClusterIssuer
+metadata:
+  #name: letsencrypt-staging-clusterissuer
+  #name: letsencrypt-prod-clusterissuer
+  #name: freeipa-clusterissuer
+spec:
+  acme:
+    #server: https://acme-staging-v02.api.letsencrypt.org/directory
+    #server: https://acme-v02.api.letsencrypt.org/directory
+    #profile: tlsserver
+    #server: https://server.corpX.un/acme/directory
+    #caBundle: # cat /etc/ipa/ca.crt | base64 -w0
+    email: student@corpX.un
+    privateKeySecretRef:
+      name: ...issuer-secret
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx
+    #- dns01:
+        #rfc2136:
+          #nameserver: 172.19.32.2
+          #tsigKeyName: certbot.anysite
+          #tsigAlgorithm: HMACSHA512
+          #tsigSecretSecretRef:
+            #name: anysite-tsig-secret
+            #key: tsig-secret-key
+</code><code>
+student@vps:~$ kubectl apply -f ...issuer.yaml #-n my-ns
+student@vps:~$ kubectl get secret -n cert-manager #-n my-ns
+student@vps:~/pywebd-k8s$ kubectl -n my-pywebd-ns create secret generic anysite-tsig-secret --from-literal=tsig-secret-key="NNN...NNN"
+</code>
+  * Запустить выпуск сертификата можно 2-мя способами:
+-й способ: annotations в [[#ingress example]]
+-й способ (используется если для сайта нет ingress и негде указать annotations или для rfc2136)
+<code>
+student@vps:~/webd-k8s$ cat my-certificate.yaml
+</code><code>
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: webd-cert
+spec:
+  secretName: webd-tls
+  dnsNames:
+    - siteN.mgtu.ru
+  issuerRef:
+    name: ...issuer
+    #kind: ClusterIssuer
+    #kind: Issuer
+</code>
+<code>
+student@vps:~$ kubectl -n my-ns get certificate,secrets
+student@vps:~$ kubectl -n my-ns events
+...
+Certificate fetched from issuer successfully
+student@vps:~$ kubectl -n my-ns get secret webd-tls -o yaml
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools