Alfred Sabitzer

K8s Applications mit MicroK8S auf Raspberry PI


Скачать книгу

       acme:

      #change to your email

       email: [email protected]

       server: https://acme-staging-v02.api.letsencrypt.org/directory

       privateKeySecretRef:

       name: letsencrypt-staging

       solvers:

       - http01:

       ingress:

       class: public

      EOF

      ansible pc1 -m shell -a 'microk8s kubectl apply -f '${id}'/letsencrypt-staging.yaml'

      cat <<EOF > ${wd}/letsencrypt-prod.yaml

      apiVersion: cert-manager.io/v1

      kind: ClusterIssuer

      metadata:

       name: letsencrypt-prod

      spec:

       acme:

       server: https://acme-v02.api.letsencrypt.org/directory

      #change to your email

       email: [email protected]

       privateKeySecretRef:

       name: letsencrypt-prod

       solvers:

       - http01:

       ingress:

       class: public

      EOF

      ansible pc1 -m shell -a 'microk8s kubectl apply -f '${id}'/letsencrypt-prod.yaml'

      cat <<EOF > ${wd}/ingress-routes-update.yaml

      apiVersion: networking.k8s.io/v1

      kind: Ingress

      metadata:

       name: webserver-routes

       namespace: slainte

       annotations:

       # Class checken mit kubectl -n ingress describe daemonset.apps/nginx-ingress-microk8s-controller

       kubernetes.io/ingress.class: public

      # Das ist für das Zertifikat

       cert-manager.io/cluster-issuer: "letsencrypt-prod"

      # Das ist für das http -> https forwarding

      # See https://kubernetes.github.io/ingress-nginx/examples/rewrite/

       nginx.ingress.kubernetes.io/rewrite-target: /\$1

       nginx.ingress.kubernetes.io/ssl-redirect: "true"

       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

       nginx.ingress.kubernetes.io/ssl-temporary-redirect: "false"

       nginx.ingress.kubernetes.io/secure-backends: "true"

       nginx.ingress.kubernetes.io/ssl-proxy-headers: "X-Forwarded-Proto: https"

       nginx.ingress.kubernetes.io/proxy-body-size: 0m

       nginx.ingress.kubernetes.io/proxy-buffering: "off"

      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"

      # https://github.com/nginxinc/kubernetes-ingress/tree/v1.12.0/examples/ssl-services

      # nginx.ingress.kubernetes.io/ssl-services: "\${image}-svc"

      # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

      spec:

       tls:

       - hosts:

       - k8s.slainte.at

       secretName: k8s-slainte-at-tls

       rules:

       - host: k8s.slainte.at

       http:

       paths:

       - path: /(.*)

       pathType: Prefix

       backend:

       service:

       name: webserver-svc

       port:

       number: 80

       defaultBackend:

       service:

       name: webserver-svc

       port:

       number: 80

      EOF

      ansible pc1 -m shell -a 'microk8s kubectl apply -f '${id}'/ingress-routes-update.yaml '

      # Service PROD

      curl -k -v http://k8s.slainte.at

      #erreichbar sein.

      #Aber auch mit https

      curl -k -v https://k8s.slainte.at

      #

      ## Prüfen des Zertifikates

      ansible pc1 -m shell -a 'microk8s kubectl get certificate --all-namespaces'

      ansible pc1 -m shell -a 'microk8s kubectl describe certificate --all-namespaces'

      ansible pc1 -m shell -a 'microk8s kubectl get certificaterequests.cert-manager.io '

      ansible pc1 -m shell -a 'microk8s kubectl describe certificaterequests '

      ansible pc1 -m shell -a 'microk8s kubectl get certificatesigningrequests.certificates.k8s.io '

      ansible pc1 -m shell -a 'microk8s kubectl get Issuer'

      ansible pc1 -m shell -a 'microk8s kubectl get ClusterIssuer'

      ansible pc1 -m shell -a 'microk8s kubectl describe ClusterIssuer letsencrypt-prod '

      ansible pc1 -m shell -a 'microk8s kubectl get challenges.acme.cert-manager.io '

      ansible pc1 -m shell -a 'microk8s kubectl describe challenges.acme.cert-manager.io '

      ##

      exit

      Die Zertifikate entstehen dann, wenn sie gebraucht werden. Die Definition ist im Ingress. Derzeit gibt es einen URL pro Namespace, und damit ein Zertifikat.

      Die Namespaces werden hier definiert.

      #!/bin/bash

      ############################################################################################

      # $Date: 2021-11-23 18:03:25 +0100 (Di, 23. Nov 2021) $

      # $Revision: 1272 $

      # $Author: alfred $

      # $HeadURL: https://monitoring.slainte.at/svn/slainte/trunk/k8s/k8s_app/namespace/slainte_env.sh $

      # $Id: slainte_env.sh 1272 2021-11-23 17:03:25Z alfred $

      #

      # Bauen und deployen

      #

      ############################################################################################

      #shopt -o -s errexit #—Terminates the shell script if a command returns an error code.

      shopt -o -s xtrace #—Displays each command before it’s executed.

      shopt -o -s nounset #-No Variables without definition

      export secretName="k8s-slainte-at-tls"

      export host="k8s.slainte.at"

      export namespace_comment="Namespace für die Produktion"

      export cluster_issuer="letsencrypt-prod"

      export docker_registry="docker.registry:5000"

      #