You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/24 03:21:27 UTC
[GitHub] [apisix-ingress-controller] tao12345666333 commented on a change in pull request #685: feat: support cert-manager
tao12345666333 commented on a change in pull request #685:
URL: https://github.com/apache/apisix-ingress-controller/pull/685#discussion_r715279660
##########
File path: docs/en/latest/practices/manage-certificates-with-cert-manager.md
##########
@@ -0,0 +1,236 @@
+---
+title: Manage Certificates With Cert Manager
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+This tutorial will detail how to manage secrets of ApisixTls using cert-manager.
+
+## Prerequisites
+
+* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KiND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
Review comment:
```suggestion
* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
```
##########
File path: docs/en/latest/practices/manage-certificates-with-cert-manager.md
##########
@@ -0,0 +1,236 @@
+---
+title: Manage Certificates With Cert Manager
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+This tutorial will detail how to manage secrets of ApisixTls using cert-manager.
+
+## Prerequisites
+
+* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KiND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
+* Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart).
+* Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md).
+* Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).
+
+In this guide, we assume that your APISIX is installed with `ssl` enabled, which is not enabled by default in the Helm Chart. To enable it, you need to set `gateway.tls.enabled=true` during installation.
Review comment:
Or we can directly list the complete Helm command.
```
helm install apisix apisix/apisix --set gateway.type=NodePort --set ingress-controller.enabled=true --set gateway.tls.enabled=true
```
##########
File path: docs/en/latest/practices/manage-ingress-certificates-with-cert-manager.md
##########
@@ -0,0 +1,190 @@
+---
+title: Manage Ingress Certificates With Cert Manager
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+This tutorial will detail how to secure ingress using cert-manager.
+
+## Prerequisites
+
+* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KiND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
+* Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart).
+* Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md).
+* Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).
+
+In this guide, we assume that your APISIX is installed with `ssl` enabled, which is not enabled by default in the Helm Chart. To enable it, you need to set `gateway.tls.enabled=true` during installation.
+
+Assume that the SSL port is `9443`.
+
+## Create Issuer
+
+For testing purposes, we will use a simple CA issuer. All required files can be found [here](./cert-manager).
+
+To create a CA issuer, use the following commands:
+
+```bash
+kubectl apply -f ./cert-manager/ca.yaml
+kubectl apply -f ./cert-manager/issuer.yaml
+```
+
+If the cert-manager is working correctly, we should be able to see the Ready status by running:
+
+```bash
+kubectl get issuer
+```
+
+It should output:
+
+```text
+NAME READY AGE
+ca-issuer True 50s
+```
+
+## Create Test Certificate
+
+To ensure that cert-manager is working properly, we can create a test `Certificate` resource.
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: demo-cert
+spec:
+ dnsNames:
+ - example.com
+ issuerRef:
+ kind: Issuer
+ name: ca-issuer
+ secretName: example-cert
+ usages:
+ - digital signature
+ - key encipherment
+```
+
+Like `Issuer`, we could see its readiness status by running:
+
+```bash
+kubectl get certificate
+```
+
+It should output:
+
+```text
+NAME READY SECRET AGE
+demo-cert True example.com 50s
+```
+
+Check the secrets by running:
+
+```bash
+kubectl get secret
+```
+
+It should output:
+
+```text
+NAME TYPE DATA AGE
+example.com kubernetes.io/tls 3 2m20s
+```
+
+This means that our cert-manager is working properly.
+
+## Create Test Service
+
+We use [kennethreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin/) as the service image.
+
+Deploy it by running:
+
+```bash
+kubectl run httpbin --image kennethreitz/httpbin --port 80
Review comment:
As I suggested above.
##########
File path: docs/en/latest/practices/manage-certificates-with-cert-manager.md
##########
@@ -0,0 +1,236 @@
+---
+title: Manage Certificates With Cert Manager
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+This tutorial will detail how to manage secrets of ApisixTls using cert-manager.
+
+## Prerequisites
+
+* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KiND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
+* Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart).
+* Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md).
+* Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).
+
+In this guide, we assume that your APISIX is installed with `ssl` enabled, which is not enabled by default in the Helm Chart. To enable it, you need to set `gateway.tls.enabled=true` during installation.
+
+Assume that the SSL port is `9443`.
+
+## Create Issuer
+
+For testing purposes, we will use a simple CA issuer. All required files can be found [here](./cert-manager).
+
+To create a CA issuer, use the following commands:
+
+```bash
+kubectl apply -f ./cert-manager/ca.yaml
+kubectl apply -f ./cert-manager/issuer.yaml
+```
+
+If the cert-manager is working correctly, we should be able to see the Ready status by running:
+
+```bash
+kubectl get issuer
+```
+
+It should output:
+
+```text
+NAME READY AGE
+ca-issuer True 50s
+```
+
+## Create Certificate
+
+Before creating ApisixTls, we should create a `Certificate` resource.
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: demo-cert
+spec:
+ dnsNames:
+ - local.httpbin.org
+ issuerRef:
+ kind: Issuer
+ name: ca-issuer
+ secretName: example-cert
+ usages:
+ - digital signature
+ - key encipherment
+ renewBefore: 0h55m0s
+ duration: 1h0m0s
+```
+
+Note that we set the parameters `duration` and `renewBefore`. We want to test if the certificate rotation functionality is working well, so a shorter renewal time will help.
+
+Like `Issuer`, we could see its readiness status by running:
+
+```bash
+kubectl get certificate
+```
+
+It should output:
+
+```text
+NAME READY SECRET AGE
+demo-cert True example-cert 50s
+```
+
+Check the secrets by running:
+
+```bash
+kubectl get secret
+```
+
+It should output:
+
+```text
+NAME TYPE DATA AGE
+example-cert kubernetes.io/tls 3 2m20s
+```
+
+This means that our cert-manager is working properly.
+
+## Create Test Service
+
+We use [kennethreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin/) as the service image.
+
+Deploy it by running:
+
+```bash
+kubectl run httpbin --image kennethreitz/httpbin --port 80
+kubectl expose pod httpbin --port 80
Review comment:
And remove this line.
##########
File path: docs/en/latest/practices/manage-certificates-with-cert-manager.md
##########
@@ -0,0 +1,236 @@
+---
+title: Manage Certificates With Cert Manager
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+This tutorial will detail how to manage secrets of ApisixTls using cert-manager.
+
+## Prerequisites
+
+* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KiND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
+* Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart).
+* Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md).
Review comment:
I think it is better to deploy APISIX and APISIX Ingress directly together. For example:
`helm install apisix apisix/apisix --set gateway.type=NodePort --set ingress-controller.enabled=true`
##########
File path: docs/en/latest/practices/manage-certificates-with-cert-manager.md
##########
@@ -0,0 +1,236 @@
+---
+title: Manage Certificates With Cert Manager
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+This tutorial will detail how to manage secrets of ApisixTls using cert-manager.
+
+## Prerequisites
+
+* Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KiND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster.
+* Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart).
+* Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md).
+* Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).
+
+In this guide, we assume that your APISIX is installed with `ssl` enabled, which is not enabled by default in the Helm Chart. To enable it, you need to set `gateway.tls.enabled=true` during installation.
+
+Assume that the SSL port is `9443`.
+
+## Create Issuer
+
+For testing purposes, we will use a simple CA issuer. All required files can be found [here](./cert-manager).
+
+To create a CA issuer, use the following commands:
+
+```bash
+kubectl apply -f ./cert-manager/ca.yaml
+kubectl apply -f ./cert-manager/issuer.yaml
+```
+
+If the cert-manager is working correctly, we should be able to see the Ready status by running:
+
+```bash
+kubectl get issuer
+```
+
+It should output:
+
+```text
+NAME READY AGE
+ca-issuer True 50s
+```
+
+## Create Certificate
+
+Before creating ApisixTls, we should create a `Certificate` resource.
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: demo-cert
+spec:
+ dnsNames:
+ - local.httpbin.org
+ issuerRef:
+ kind: Issuer
+ name: ca-issuer
+ secretName: example-cert
+ usages:
+ - digital signature
+ - key encipherment
+ renewBefore: 0h55m0s
+ duration: 1h0m0s
+```
+
+Note that we set the parameters `duration` and `renewBefore`. We want to test if the certificate rotation functionality is working well, so a shorter renewal time will help.
+
+Like `Issuer`, we could see its readiness status by running:
+
+```bash
+kubectl get certificate
+```
+
+It should output:
+
+```text
+NAME READY SECRET AGE
+demo-cert True example-cert 50s
+```
+
+Check the secrets by running:
+
+```bash
+kubectl get secret
+```
+
+It should output:
+
+```text
+NAME TYPE DATA AGE
+example-cert kubernetes.io/tls 3 2m20s
+```
+
+This means that our cert-manager is working properly.
+
+## Create Test Service
+
+We use [kennethreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin/) as the service image.
+
+Deploy it by running:
+
+```bash
+kubectl run httpbin --image kennethreitz/httpbin --port 80
Review comment:
```suggestion
kubectl run httpbin --image kennethreitz/httpbin --expose --port 80
```
We can complete the creation of pod and svc directly with one command
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org