Difference between revisions of "Ingress with the wildcard ssl certificate of Lets Encrypt on AKS"
Fred.chang (talk | contribs) |
Fred.chang (talk | contribs) |
||
| (51 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | == | + | == Prerequisites == |
| − | 1. Have an Azure DNS Zone and delegate your domain name | + | 1. Have an Azure DNS Zone and delegate your domain name to it. (please refer to [https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns Host your domain in Azure DNS]) |
| − | 2. Have an AKS and | + | 2. Have an AKS and make sure it's Linux-based. |
| + | |||
| + | 3. Note down the <u>'''name'''</u>('''$AKS_NAME''') and <u>'''resource group'''</u>('''$AKS_RESOURCE_GROUP''') of the AKS. | ||
| + | |||
| + | 4. Make sure that there are no other installed instances of the ingress and the cert-manager. | ||
== First thing on Azure == | == First thing on Azure == | ||
| − | 1. Please refer to [https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart Quickstart for Bash in Azure Cloud Shell] and enter the azure bash. | + | 1. Please refer to [https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart Quickstart for Bash in Azure Cloud Shell] and '''enter the azure bash'''. |
| + | |||
| + | 2. Show you account information by using "'''az account show'''" and note down your <u>'''subscription id'''</u>('''$SUBSCRIPTION_ID''') and <u>'''tenant id'''</u>('''$TENANT_ID''') be shown as the following picture. | ||
| + | |||
| + | [[File:Aks wsc le ids.png|Subscription Id and Tenant Id]] | ||
| + | |||
| + | 3. Use "az aks get-credentials --resource-group '''$AKS_RESOURCE_GROUP''' --name '''$AKS_NAME'''" to get the access right of '''kubectl'''. | ||
| + | |||
| + | 4. Make sure that you have the ability to install packages with helm. If not, please refer to [https://docs.microsoft.com/en-us/azure/aks/kubernetes-helm Install applications with Helm in Azure Kubernetes Service (AKS)] | ||
| + | |||
| + | == Upload and Install == | ||
| + | |||
| + | 1. Download [[File:AKSLE.zip|AKSLE]]. | ||
| + | |||
| + | 2. Unzip it and upload AKSLE.sh as the following picture. | ||
| + | |||
| + | [[File:Upload to aks.png|Upload]] | ||
| + | |||
| + | 3. Change the file mode by using "chmod 777 AKSLE.sh" | ||
| + | |||
| + | 4. Install it and it will generate a file '''"route.yaml"''' by using 'AKSLE.sh '''$DOMAIN_NAME''' '''$ADMIN_EMAIL_ADDRESS''' '''$SUBSCRIPTION_ID''' '''$TENANT_ID'''' | ||
| + | |||
| + | <span style="font-size:large;">'''Example''': 'AKSLE.sh "edgecenter.io" "fred.chang@advantech.com.tw" "12345679-1234-1234-1234-123456789012" "abcdefgh-abcd-abcd-abcd-abcdefghijkl"'</span> | ||
| + | |||
| + | <span style="font-size:xx-small;">P.S. If you have an azure public IP interface for ingress, you can use 'AKSLE.sh '''$DOMAIN_NAME''' '''$ADMIN_EMAIL_ADDRESS''' '''$SUBSCRIPTION_ID''' '''$TENANT_ID''' '''<span style="color:#FF0000;">$PUBLIC_IP</span>''''</span> | ||
| + | |||
| + | 5. Show '''EXTERNAL-IP''' by using 'kubectl get service/nginx-ingress-controller' and update it on Azure DNS zone. | ||
| + | |||
| + | == Configuration == | ||
| + | |||
| + | *You can modify the file '''"route.yaml"''' as the following picture to fit your scenario, and apply it by using '''"kubectl apply -f route.yaml"'''. | ||
| + | |||
| + | [[File:Route.png|Route]] | ||
| + | |||
| + | *You need to update the related records on Azure DNS zone. | ||
| + | |||
| + | [[File:Dnszone.png|DNS Zone]] | ||
| + | |||
| + | == Production version == | ||
| + | |||
| + | Above example is for testing, and the certificate is fake and untrusted. | ||
| + | |||
| + | [[File:Fake.png|Fake]] | ||
| + | |||
| + | If you are ready to deploy a real certificate and the result of the above test is well, you can run the production procedure. | ||
| − | + | The production procedure is just | |
| − | + | #Use [[File:Delete.zip|Delete]] with the command './delete.sh $DOMAIN_NAME' | |
| + | #Use [[File:AKSLE-prod.zip|Production]] with the same flow of the test procedure. | ||
| − | + | And then you will get | |
| − | + | [[File:Production.png|Production]] | |
Latest revision as of 11:28, 12 July 2019
Contents
Prerequisites
1. Have an Azure DNS Zone and delegate your domain name to it. (please refer to Host your domain in Azure DNS)
2. Have an AKS and make sure it's Linux-based.
3. Note down the name($AKS_NAME) and resource group($AKS_RESOURCE_GROUP) of the AKS.
4. Make sure that there are no other installed instances of the ingress and the cert-manager.
First thing on Azure
1. Please refer to Quickstart for Bash in Azure Cloud Shell and enter the azure bash.
2. Show you account information by using "az account show" and note down your subscription id($SUBSCRIPTION_ID) and tenant id($TENANT_ID) be shown as the following picture.
3. Use "az aks get-credentials --resource-group $AKS_RESOURCE_GROUP --name $AKS_NAME" to get the access right of kubectl.
4. Make sure that you have the ability to install packages with helm. If not, please refer to Install applications with Helm in Azure Kubernetes Service (AKS)
Upload and Install
1. Download File:AKSLE.zip.
2. Unzip it and upload AKSLE.sh as the following picture.
3. Change the file mode by using "chmod 777 AKSLE.sh"
4. Install it and it will generate a file "route.yaml" by using 'AKSLE.sh $DOMAIN_NAME $ADMIN_EMAIL_ADDRESS $SUBSCRIPTION_ID $TENANT_ID'
Example: 'AKSLE.sh "edgecenter.io" "fred.chang@advantech.com.tw" "12345679-1234-1234-1234-123456789012" "abcdefgh-abcd-abcd-abcd-abcdefghijkl"'
P.S. If you have an azure public IP interface for ingress, you can use 'AKSLE.sh $DOMAIN_NAME $ADMIN_EMAIL_ADDRESS $SUBSCRIPTION_ID $TENANT_ID $PUBLIC_IP'
5. Show EXTERNAL-IP by using 'kubectl get service/nginx-ingress-controller' and update it on Azure DNS zone.
Configuration
- You can modify the file "route.yaml" as the following picture to fit your scenario, and apply it by using "kubectl apply -f route.yaml".
- You need to update the related records on Azure DNS zone.
Production version
Above example is for testing, and the certificate is fake and untrusted.
If you are ready to deploy a real certificate and the result of the above test is well, you can run the production procedure.
The production procedure is just
- Use File:Delete.zip with the command './delete.sh $DOMAIN_NAME'
- Use File:AKSLE-prod.zip with the same flow of the test procedure.
And then you will get
