With brand new google k8s, do the followings:
1. Set up kubeconfig by using the google connect command found from google cloud console, something similar to this.
gcloud container clusters get-credentials tongedge --zone us-east1-b --project odin-network-301700
2. Run the following command to deploy Ambassador
kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml &&
kubectl wait --for condition=established --timeout=90s crd -lproduct=aes&&
kubectl apply -f https://www.getambassador.io/yaml/aes.yaml &&
kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes
Now, get the external ip address
kubectl get -n ambassador service ambassador -o
"go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}"
3. Deploy kubernetes cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
Verify cert manager is working correctly
kubectl get pods --namespace cert-manager
k8s cert manager reference link https://cert-manager.io/docs/installation/kubernetes/
Now create a mapping and a service to make sure cert-manager created ingress can meet the http01 chanllenge.
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: acme-challenge-mapping
spec:
prefix: /.well-known/acme-challenge/
rewrite: ""
service: acme-challenge-service
---
apiVersion: v1
kind: Service
metadata:
name: acme-challenge-service
spec:
ports:
- port: 80
targetPort: 8089
selector:
acme.cert-manager.io/http01-solver: "true"
The ambassador external ip now can be used to configure your dns entry via whatever the dns providers. The end result will be your domain name can be resolved into the ambassador external IP address.To request a certificate, one has to set up an issuer first, using the follow yaml file to accomplish that.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1"
privateKeySecretRef:
name: letencrypt-secret
solvers:
- http01:
ingress:
class: nginx
selector: {}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tonglitls
namespace: default
spec:
dnsNames:
- tongli.myddns.me
secretName: tonglitls-secret
issuerRef:
kind: ClusterIssuer
name: letsencrypt