AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
Voyager Voyager
github-icon twitter-icon
TRY NOW FREE

We use cookies and other similar technology to collect data to improve your experience on our site, as described in our Privacy Policy.

You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to Voyager? Please start here.

Issue Let’s Encrypt certificate using HTTP-01 challenge

Deploy Voyager operator

Deploy Voyager operator following instructions here.

curl -fsSL https://raw.githubusercontent.com/appscode/voyager/v11.0.1/hack/deploy/voyager.sh \
  | bash -s -- --provider=gke

Create Ingress

  1. We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:

    kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80

  2. Now create Ingress ing.yaml

    kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/v11.0.1/docs/examples/certificate/http/ing.yaml

  3. Wait for the LoadBalancer ip to be assigned. Once the IP is assigned update your DNS provider to set the LoadBlancer IP as the A record for test domain kiteci.com

    $ kubectl get svc  voyager-test-ingress
NAME                   CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
voyager-test-ingress   10.39.243.239   104.198.234.66   80:32266/TCP,443:31282/TCP   19m

  4. Now wait a bit for DNS to propagate. Run the following command to confirm DNS propagation.

    $ dig +short kiteci.com
104.198.234.66

  5. Now open URL http://kiteci.com . This should show you the familiar nginx welcome page.

Create Certificate

  1. Create a secret to provide ACME user email. Change the email to a valid email address and run the following command:

    kubectl create secret generic acme-account --from-literal=ACME_EMAIL=me@example.com

  2. Create the Certificate CRD to issue TLS certificate from Let’s Encrypt using HTTP challenge.

    kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/v11.0.1/docs/examples/certificate/http/crt.yaml

  3. Now wait a bit and you should see a new secret named tls-kitecicom. This contains the tls.crt and tls.key. This secret must not have any dashes or other special characters.

    $ kubectl get secrets
NAME                  TYPE                                  DATA      AGE
acme-account          Opaque                                3         20m
default-token-zj0wv   kubernetes.io/service-account-token   3         30m
tls-kitecicom         kubernetes.io/tls                     2         19m

    $ kubectl describe cert kitecicom
Name:		kitecicom
Namespace:	default
Labels:		<none>
Annotations:	kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"voyager.appscode.com/v1beta1","kind":"Certificate","metadata":{"annotations":{},"name":"kitecicom","namespace":"default"},"spec":{"acmeU...
API Version:	voyager.appscode.com/v1beta1
Kind:		Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:			2017-10-29T22:07:45Z
  Deletion Grace Period Seconds:	<nil>
  Deletion Timestamp:			<nil>
  Resource Version:			1376
  Self Link:				/apis/voyager.appscode.com/v1beta1/namespaces/default/certificates/kitecicom
  UID:					97d91028-bcf5-11e7-bc3f-42010a800fd5
Spec:
  Acme User Secret Name:	acme-account
  Challenge Provider:
    Http:
      Ingress:
        API Version:	voyager.appscode.com/v1beta1
        Kind:		Ingress
        Name:		test-ingress
  Domains:
    kiteci.com
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  20m		20m		1	voyager operator			Normal		IssueSuccessful	Successfully issued certificate

    If you look at the Ingress, you should see that /.well-known/acme-challenge/ path has been added to rules. It should look like this.

    If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

Update Ingress to use TLS

  1. Now edit the Ingress to add spec.tls section.

    $ kubectl edit ingress.voyager.appscode.com test-ingress

spec:
  tls:
  - hosts:
    - kiteci.com
    ref:
      kind: Secret
      name: tls-kitecicom

    After editing, your Ingress should look similar to this.

  2. Now wait several seconds for HAProxy to reconfigure. If you check the configmap voyager-test-ingress, you should see a key haproxy.cfg with the value similar to this.

    Now try the following commands:

    $ curl -vv http://kiteci.com
* Rebuilt URL to: http://kiteci.com/
*   Trying 104.198.234.66...
* Connected to kiteci.com (104.198.234.66) port 80 (#0)
> GET / HTTP/1.1
> Host: kiteci.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location: https://kiteci.com/
<
* Connection #0 to host kiteci.com left intact

    $ curl -vv https://kiteci.com
* Rebuilt URL to: https://kiteci.com/
*   Trying 104.198.234.66...
* Connected to kiteci.com (104.198.234.66) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: kiteci.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=kiteci.com
* 	 start date: Sun, 29 Oct 2017 21:07:37 GMT
* 	 expire date: Sat, 27 Jan 2018 21:07:37 GMT
* 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: kiteci.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Sun, 29 Oct 2017 22:31:59 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Thu, 14 Sep 2017 16:35:09 GMT
< ETag: "59baafbd-264"
< Accept-Ranges: bytes
< Strict-Transport-Security: max-age=15768000
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host kiteci.com left intact

What's on this Page

Search
Improve This Page