-
Notifications
You must be signed in to change notification settings - Fork 9
Manage Let's Encrypt certs and configs on k8s master node
xi-yang edited this page Dec 1, 2021
·
4 revisions
** Use UMD DTN-RM deployment as an example
- Create secret for certs
kubectl create secret generic sense-httpdprivkey --from-file=httpdprivkey=/etc/letsencrypt/live/180-131.research.maxgigapop.net/privkey.pem
kubectl create secret generic sense-httpdcert --from-file=httpdcert=/etc/letsencrypt/live/180-131.research.maxgigapop.net/cert.pem
kubectl create secret generic sense-hostkey --from-file=hostkey=/etc/letsencrypt/live/180-131.research.maxgigapop.net/privkey.pem
kubectl create secret generic sense-hostcert --from-file=hostcert=/etc/letsencrypt/live/180-131.research.maxgigapop.net/cert.pem
kubectl create secret generic sense-httpdfullchain --from-file=httpdfullchain=/etc/letsencrypt/live/180-131.research.maxgigapop.net/fullchain.pem
kubectl create secret generic sense-agent-hostkey --from-file=agent-hostkey=/etc/letsencrypt/live/180-131.research.maxgigapop.net/privkey.pem
kubectl create secret generic sense-agent-hostcert --from-file=agent-hostcert=/etc/letsencrypt/live/180-131.research.maxgigapop.net/cert.pem
- Create configmap
kubectl create configmap sense-siterm-fe-yaml --from-file=sense-siterm-fe=/etc/dtnrm.yaml
- Check cert status
openssl x509 -in /etc/letsencrypt/live/180-131.research.maxgigapop.net/cert.pem -text -noout
- Delete all cert secret files
kubectl delete secret sense-httpdprivkey sense-httpdcert sense-hostcert sense-hostkey sense-httpdfullchain
kubectl delete secret sense-agent-hostkey sense-agent-hostcert
- Renew cert
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
certbot renew
firewall-cmd --permanent --remove-port=80/tcp
firewall-cmd --reload
- Redeploy after content (including certs) changes
# Use the above procedures to re-create the secrets and then:
kubectl rollout restart deployment sitefe siterm-agent01 siterm-agent02
- Use self-signed certs instead:
kubectl create secret generic sense-httpdprivkey --from-file=httpdprivkey=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/privkey.pem
kubectl create secret generic sense-httpdcert --from-file=httpdcert=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/cert.pem
kubectl create secret generic sense-hostkey --from-file=hostkey=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/privkey.pem
kubectl create secret generic sense-hostcert --from-file=hostcert=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/cert.pem
kubectl create secret generic sense-httpdfullchain --from-file=httpdfullchain=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/fullchain.pem
kubectl create secret generic sense-agent-hostkey --from-file=agent-hostkey=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/privkey.pem
kubectl create secret generic sense-agent-hostcert --from-file=agent-hostcert=/opt/siterm/installers/fe-docker//conf/etc/httpd/certs/cert.pem