Closed ranhsd closed 7 years ago
Hi @ranhsd - good questions.
/.well-known/acme-challenge
) to the letsencrypt servicehttp://{your-domain}/.well-known/acme-challenge
and that request will route through to the pod where the challenge is found.---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: letsencrypt-live-deployment
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: letsencrypt
mode: live
spec:
containers:
- name: letsencrypt
image: ployst/letsencrypt:0.1.0
env:
- name: EMAIL
value: {email-address}
- name: DOMAINS
value: foo.example.com bar.example.com
- name: DEPLOYMENTS
value: nginx-ssl-proxy-foo-live-deployment nginx-ssl-proxy-bar-live-deployment
- name: SECRET_NAME
value: certs-example.com
- name: CRON_FREQUENCY
value: '15 1 1 * *'
ports:
- name: ssl-proxy-http
containerPort: 80
I have 2 of these, one foo
and one bar
that both use the same certs gathered from the single letsencrypt pod above
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ssl-proxy-foo-live-deployment
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: nginx-ssl-proxy-foo
mode: live
spec:
containers:
- name: nginx-ssl-proxy-foo
image: ployst/nginx-ssl-proxy:0.0.7
env:
- name: SERVICE_HOST_ENV_NAME
value: FOO_SERVICE_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
value: FOO_SERVICE_SERVICE_PORT
- name: CERT_SERVICE_HOST_ENV_NAME
value: CERT_SERVICE_SERVICE_HOST
- name: CERT_SERVICE_PORT_ENV_NAME
value: CERT_SERVICE_SERVICE_PORT
- name: SERVER_NAME
value: foo.example.com
- name: ENABLE_SSL
value: 'true'
- name: ENABLE_BASIC_AUTH
value: 'false'
- name: WEB_SOCKETS
value: 'true'
ports:
- name: ssl-proxy-http
containerPort: 80
- name: ssl-proxy-https
containerPort: 443
volumeMounts:
- name: secrets
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: certs-example.com
Hi @alexcouper - thanks a lot for the detailed answer.. i will try it and will let you know.
Hi @alexcouper - do i need 2 additional yaml files for the nginx-ssl-proxy service and for the letsencrypt service? and about the * SERVICE_HOST_ENV_NAME* and * CERT_SERVICE_HOST_ENV_NAME* i assume that the CERT_SERVICE_HOST_ENV_NAME should point to the letsencrypt pod cluster IP address (this is correct?) but what about the CERT_SERVICE_HOST_ENV_NAME to where it should point?
thanks again.
You need to define the services separately, yes. I've again included samples below.
SERVICE_HOST_ENV_NAME
and CERT_SERVICE_HOST_ENV_NAME
are smarter than just clusterIP. Put in here the name of the environment variable that holds the ip address. K8S populates an env variable for every service so your pods can look up in the env what the service ip is - meaning that if the ip changes the pod just needs to be restarted (rather than config changed)
apiVersion: v1
kind: Service
metadata:
labels:
role: cert-app
name: cert-service
spec:
ports:
- port: 80
targetPort: 80
selector:
app: letsencrypt
mode: live
type: ClusterIP
apiVersion: v1
kind: Service
metadata:
name: ssl-proxy-api-service
spec:
ports:
- port: 443
targetPort: 443
- port: 80
targetPort: 80
selector:
app: nginx-ssl-proxy-api
mode: live
type: LoadBalancer
If you had the above 2 services along with a third named "ranhsd-service" that is your actual service (the one where requests eventually want to end up), you'd set:
- name: SERVICE_HOST_ENV_NAME
value: RANHSD_SERVICE_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
value: RANHSD_SERVICE_SERVICE_PORT
- name: CERT_SERVICE_HOST_ENV_NAME
value: CERT_SERVICE_SERVICE_HOST
- name: CERT_SERVICE_PORT_ENV_NAME
value: CERT_SERVICE_SERVICE_PORT
Hi , i am trying to implement this (that was written by you) and i need your help to clarify some things:
Thanks in advanced!