Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3e9bdbf
commit 1b71fa3
Showing
11 changed files
with
876 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Licensed to the Apache Software Foundation (ASF) under one | ||
| # or more contributor license agreements. See the NOTICE file | ||
| # distributed with this work for additional information | ||
| # regarding copyright ownership. The ASF licenses this file | ||
| # to you under the Apache License, Version 2.0 (the | ||
| # "License"); you may not use this file except in compliance | ||
| # with the License. You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| type: kubernetes.io/tls | ||
| metadata: | ||
| name: ca-key-pair | ||
| data: | ||
| tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY5ekNDQTkrZ0F3SUJBZ0lVRkt1ekFKWmdtL2ZzRlM2SkRyZCtsY3BWWnI4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dad3hDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJREFoYWFHVnFhV0Z1WnpFUk1BOEdBMVVFQnd3SQpTR0Z1WjNwb2IzVXhHREFXQmdOVkJBb01EMEZRU1ZOSldDMVVaWE4wTFVOQlh6RVlNQllHQTFVRUN3d1BRVkJKClUwbFlYME5CWDFKUFQxUmZNUlV3RXdZRFZRUUREQXhCVUVsVFNWZ3VVazlQVkY4eEhEQWFCZ2txaGtpRzl3MEIKQ1FFV0RYUmxjM1JBZEdWemRDNWpiMjB3SGhjTk1qRXdOVEkzTVRNek5qSTRXaGNOTWpJd05USTNNVE16TmpJNApXakNCbkRFTE1Ba0dBMVVFQmhNQ1EwNHhFVEFQQmdOVkJBZ01DRnBvWldwcFlXNW5NUkV3RHdZRFZRUUhEQWhJCllXNW5lbWh2ZFRFWU1CWUdBMVVFQ2d3UFFWQkpVMGxZTFZSbGMzUXRRMEZmTVJnd0ZnWURWUVFMREE5QlVFbFQKU1ZoZlEwRmZVazlQVkY4eEZUQVRCZ05WQkFNTURFRlFTVk5KV0M1U1QwOVVYekVjTUJvR0NTcUdTSWIzRFFFSgpBUllOZEdWemRFQjBaWE4wTG1OdmJUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCCkFMSlIwbFFXL0lCcVFURS9PYTBQaTRMbG1sWVVTR25xdEZOcWlaeU9GMFBqVnpOZXFvRDlKRFBpTTFRUnlDOHAKTkNkNUwvUWh0VUlNTXgwUmxESTlEa0ozQUxJV2RyUElabHdwdmVESmY0S3RXN2N6K2VhNDZBNlFRd0I2eGN5Vgp4V25xRUJraWVhN3FyRUU4TmFrWk9NamdrcWtOMi85a2xnNlh5QTVGV2Z2c3p4dHVJSHRqY3kyS3E4Yk1DMGpkCms3Q3FFWmU0Y3Q2czJ3bGNJOHQ4czlwcnZNRG04Z2NYNjZ4NEFoK0MyL1crQzNsVHBNRGdHcVJxU1B5Q1c3bmEKV2duMHRXbVRTZjFpeWJ3WU15ZGhDK3pwTTFRSkx2ZkR5cWpwMXdKaHppUjV0dFZlMlhjK3REQzI0cyt1MTZ5WgpSOTNJTzBNNGxMTmp2RUtKY01sdFh5UnpyY2p2TFhPaHczS2lyU0hOTDFLZnJCRWw3NGxiK0RWNWVVNHBJRkNqCmN1MThnbXM1RkJZczl0cEx1andwSERjMk1VK3pDdlJtU1B2VUE0eUN5b1hxb20zdWlTbzNnM3ltVzlJTThkQzgKK0JkMUdkTTZKYnBCdWt2UXliYzVUUVhvMU03NUk5aUVvUWE1dFF4QWZRL2Rmd01qT0s3c2tvZ293Qm91T3VMdgpCRUZLeTNWZDU3SVdXWlhDNHAvNzRNNk40ZkdZVGdIWTVGUUUzUjRZMnBoay9lYUVtMWpTMVVQdUM5OFF1VGZMCnJHdUZPSUJtSzVldU9tOHVUNW05aG5yb3VHMlpjeEVkekhZZmpzR0RHckx6QTBGTHUrd3RNTkJLTTROaHNOQ2EKZCtmeWNMZzdqZ3hXaGFMdkQ1RGZrVjdXRlFsejVMVWNlWUl3WU95aEQvY2hBZ01CQUFHakx6QXRNQXdHQTFVZApFd1FGTUFNQkFmOHdIUVlEVlIwUkJCWXdGSUlTYlhSc2N5NW9kSFJ3WW1sdUxteHZZMkZzTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQ0FRQ050Qm1vQWM1dHYzSDM4c2o5cWhUbWFidnA5Ukl6WllyUVNFY04rQTJpM2E4RlZZQU0KWWF1Z1pEWERjVHljb1duNnJjZ2JsVURuZW93M05pcVo1N3lZWm1OK2U0bUUzK1Exc0dlcFY3TG9Sa0hEVVQ4dwpqQUpuZGNaL3h4Sm1nSDZCN2RJbVRBUHN2TEdSN0U3Z2ZmTUgrYUtDZG5rRzl4NVZtK2N1QndTRUJuZGlIR2ZyCnl3NWNYTzZjTVVxOE02ekpyazJWKzFCQXVjWFcycmdMVFd5NlVUVEdENTZjZ1V0YlN0Uk82bXVPS29FbERMYlcKbVNqMnJOdi9ldmFrUWtWOGRnS1ZSRmdoMk5RS1lLcFhtdmVNYUU2eHRGRmYvZGQ5T2hERmpVaC9rc3huOTRGVAp4ai93a2hYQ0VQbCt0N3RFTmhyMnROeUxiQ09WY0Z6cW9pN0l5b1dLeHhaUWZ2QXJmajRTbWFoSzhFL0JYQi9UCjRQRW1uOGtaQXhhVzdSbUdjYWVrbThNVHFHbGhDSjN0VkpBSTJ2Y1lSZGQ5WkhiWEUxanIvNHhqMEkvTHpnbG8KTzh2NWZkNHpIeVYxU3VaNUFIM1hiVWQ3bmRsOXlEb04yV1NxSzlOZDlid3MzeXJmK0d3akpBVDFJbm5EdkxnMQpzdFdNOEkrOUZaaURGTDI1NS8raUFOMGpZY0d1OWk0VE52QytvNnFRMXA4NWkxT0hQSlp1Nnd0VVdNZ0RKTjQ2CnV3VzNaTGg5c1pWNk9uaGJRSkJRYVVtY2dhUEpVUXFiWE5RbXBtcGMwTlVqRVQvbHRGUloyaGx5dnZwZjd3d0YKMkRMWTFIUkFrblE2OUR1VDZ4cFl6MWFLWnFybGtiQ1dsTU12ZG9zT2c2ZjcrNE54ZFlKL3JCZVM2UT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | ||
| tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ3lVZEpVRnZ5QWFrRXgKUHptdEQ0dUM1WnBXRkVocDZyUlRhb21jamhkRDQxY3pYcXFBL1NRejRqTlVFY2d2S1RRbmVTLzBJYlZDRERNZApFWlF5UFE1Q2R3Q3lGbmF6eUdaY0tiM2d5WCtDclZ1M00vbm11T2dPa0VNQWVzWE1sY1ZwNmhBWklubXU2cXhCClBEV3BHVGpJNEpLcERkdi9aSllPbDhnT1JWbjc3TThiYmlCN1kzTXRpcXZHekF0STNaT3dxaEdYdUhMZXJOc0oKWENQTGZMUGFhN3pBNXZJSEYrdXNlQUlmZ3R2MXZndDVVNlRBNEJxa2FrajhnbHU1MmxvSjlMVnBrMG45WXNtOApHRE1uWVF2czZUTlVDUzczdzhxbzZkY0NZYzRrZWJiVlh0bDNQclF3dHVMUHJ0ZXNtVWZkeUR0RE9KU3pZN3hDCmlYREpiVjhrYzYzSTd5MXpvY055b3EwaHpTOVNuNndSSmUrSlcvZzFlWGxPS1NCUW8zTHRmSUpyT1JRV0xQYmEKUzdvOEtSdzNOakZQc3dyMFprajcxQU9NZ3NxRjZxSnQ3b2txTjROOHBsdlNEUEhRdlBnWGRSblRPaVc2UWJwTAowTW0zT1UwRjZOVE8rU1BZaEtFR3ViVU1RSDBQM1g4REl6aXU3SktJS01BYUxqcmk3d1JCU3N0MVhlZXlGbG1WCnd1S2YrK0RPamVIeG1FNEIyT1JVQk4wZUdOcVlaUDNtaEp0WTB0VkQ3Z3ZmRUxrM3k2eHJoVGlBWml1WHJqcHYKTGsrWnZZWjY2TGh0bVhNUkhjeDJINDdCZ3hxeTh3TkJTN3ZzTFREUVNqT0RZYkRRbW5mbjhuQzRPNDRNVm9XaQo3dytRMzVGZTFoVUpjK1MxSEhtQ01HRHNvUS8zSVFJREFRQUJBb0lDQVFDVUNwdnNsaHpSVytWOXhqalM5YW5rClpVeEpsSk05NDg0THh0SXllRURXYXNKMWNtMXBvei9RRjBaMzBEOTY3K0ZOdUMzWXA3ZDgrdlhnZHp5cXJNZk8KNUU5ZWlvbkgzbU1rdHI3ZUJVdG9LUmFRdFlVT1NJclh0R3I3MWZHclZOaE5nellVTit3QURQSXZRcFptS2Z0Ygp3aDNnWGhJOEtMenZwcEUvVDlKUjladEg4WmpqOTMraTJwS2IrOENPb081QmFDQXM3c1BuSEdqSWo0ZGtJOGFKCldwS2RMOTdWaHNWeExUek4vbTB3eXJOcDZjaEpISVRoNVI5dEM2aXRWcHNUMHVaZG5SdDdVdTJhekJpRDQrenIKcGZ1b0UrdTdaUUEyVmRUY05HalpIWGR1RTAzRjB2Znp6WkhsekFsZ1VPMDZNa2NKR3N0UlYwYnZrbjFoclB5agp1YVlEUmVVamJKYnRYb3pHZmxVdFRheVYxVUF6SHViVGM5MENWV05UYkcvRzNYa1hrWEZGL0NVLzlpMHQvMW85CmJGMVJTT2NsMFAvQXdmSEJXTDV4UXlMK2RFTFluQXhoUW40TkNTdDdIYnlUc1R1NnBkdkZsQ0NuZGNkM0E1bUgKMHlLcGFXVTlkcFlDNEtta3kwMFM4ZUdmRVp4MllTOXF5SUgxZTYxdzhWNTlwQk5BR1JGU1RZUTBlV1lEaVY5eApoT1hZU1lqQ1FXWVo3czRRNHJ2ZjhDRXhPdnZORjA3SmdaTVB5dC9wVjhJblgxS29PSnBtL0laZnVQU05wbzJSCmU2V0krSjEwVnloTExMMXFBL2QrWkpmTG5uT0dRcGRnTTBUOU5FUHQycGNQcFRDQzFGWHFQNXJ6M2dBcWlBVk0KSHprajVXWUJMUHZGTlFsak1JRnl3UUtDQVFFQTZGOWpsQ2tkSU9qSGs4aW5yaVhNYXZ2N2Q0Q0ZVc1VYeVcvQwpVZWRBY25PUnVZREJrdmorTjI3NEdGeVAwU3F5V3dXRGJqSzVOZms2RmtkeThLNWZsckxjVVZSMGRGa2swd3Z3CjNnZVBpVWxpUDFwUElnd1FWdktST244TkgvbUYzRC9VZFhSSGh5T1E2cmQxR3poZGh2UmNjZmFwTDEya3YyMnYKRDcwSlhLakpxNFdZczNtM2NSU3cxT25sYmRrRWUzTTlLMWV5TFhlQnpsQnQwU3RaamNBSm1IV0xjbHJuMFdIRgpMcUtkWUNJZ3RHZUh3alE3WlBicnFRb1hGRnJ6bDgzQWV1V1cxVmRQQTNOTFc5Y1p5SnNIY1N5dDR4cDBjZUlSCitjTDl0TE9oWnpWNzFZN3ZybWh2WElSV2lROUowUGNDbXR5Mkx5U1NsSDY0SWV0cWFRS0NBUUVBeEhOeHZDOVEKRlFmRmdnM09kSHZDM0NsdFM3K25vSkZjdTVoMmZlWHFZS241TjRUcFQ2UVJDbWJLeHRHSkcvVDZjRVNEOXUwVQpzaEQwUjdSdkZEWTNTWHdORDRuYjM4dkhSOUYvZitNdzVKbTdBTGxzWnJPbFIwSUducGkxZjhTUkNVRE9iOHlKClRyMkRaelAwcTFBTFQ5QzZySVJ4eFJwTGsvdjlqR0V4WVJhT2FBUkVianc0aXIrdTh5VVpJVm9lcUtRanlNU1cKc25lSnJmMFhIR3JrS2Z3b3dpeGNYb0hSZXFWdnhtN2VzN3paRk9pT0xVZ2lpNlYycENQeUwzWks0Zm1YM1oyUgp2OHl5OXRJOTZvclR3Z1lGSXZodFlkckNuRi9NL1ZmNW9LUEVVd0V4bFFWQ1BrcG1zc1RhZm52R3p5NXpvdnZ5CnN0VmV5OC9NTWNUZitRS0NBUUJLR1BERjgvNUgyaktaMjJnc3pmekxPS0xOVG53MUVvZ3RRYWZ6T2d5QThuMUwKYTlWT0tudlY3VnJMV2VpNlNDVXJoU3lOM1RyV0RTMEtvYW56T1lkZHBKZEFqKys2a2hwOStkYksxaHBkS3J0YgpmRTZ6aXFsRE1JSkM1dlNtZDRqSjNNakEwMTFqcUdHemx1Q08xNEJyWWt5QVFxbGNZejMvbE5nMzZvMnJzRjd1CmhPRldpYitISFpQdHNNL3FJVU9lb2ZhbGRZZHBuQ3dXUCt0a3diQUMxWE81Mi9HbGUzdGtkd3JMZmlzMDFtMGIKV2RBZWkwMU5PcmVXNVpMS2VONG9VQUhLcnA5VVZFenJ5cjREQVNwRm43blZ5dXQvK1pXY0l2eWNhaU5BbGU4bgozQlFxMnpOdXAvcXF3OEJjWURXbm5yeUQ2VkZtNHdDaXZXMjEwejNSQW9JQkFRQ0VYRFA1VXZkbDlBS0RDY0pjCmdUWmRHQnhudVEyOEJiU3hRSncxWHo5M09ZNk1kYVNzNENJTEhBN3J2aW5mQ0VQa2VJVmhUWU53SmpRd1M4VzcKbkh2THF5VXhudlRoNkc2d1dOckswOHdSZWZLaEhrMkhOT3JiQkFWcHZnSXJ2OGpvcngxbi9pdFZQaUxXMmc2egpqZzdSREJWNlB4Sllkc3NOUGU4ck1pRVBCUitWdmFwTmk0MmREbUZWdVYwaE41TUlsTzczU2wwdWlaUGVBblFiCjFYazlRSVJGcjVYY3B5TDR1NVovNEJ0MGhuek10Wk4xdHZCdm5tQTlYMnJCeDdYVVkxS0xJcXNjeTFLWk1qWTkKWEtRb1NkNFVIY1cwOUt2Q3FGbDVLRmtzZnFxOE1rV3gzZ1V2NnZrZTRidEZGU2h5VngzYVpsNnpWMGV6a3FKRgp0aHdoQW9JQkFBVDUyOFdGVE9BOTdyQUFIeFJqOGprQUI2NEV4ZlRkY2w1eHpsQW5uQ09pQ3lGNWtlOTFwYjRECklZMkcvVk1mN2ZNakNCNy93RTNxa3RkTE5pQW9GdTlkZW1ydmdrTVI4VU5RTitwSzAyWWU2VUxsMTJwUTcxczcKQktTYjRpOVVUY0phVmFWT2hZbkNnTTcwQnBkQ2FKWFVQMGhqUC9BRVRESVJQZnFZRWhtend4dWt5c0VCTkpscApjWXlCOWRRSjhCV3M4R282T1d2Q2dic0Fwa0FTOTdOY1czZzRwL3c3dDlDSXVCblFuS2hUMUpVUmswS0pNeDAxCkU0cysxTndQN0I5R2Ivdlpja01FejBDM282WDJwbnk2eVkwcUtHK3lZOUh2NVV1M3M4UE1ZeFJKckU2ZUJuMGoKNDQ1ME9EOEg2d1MxSldPaGFZSEY1OGJoVW5zY0Zkbz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Licensed to the Apache Software Foundation (ASF) under one | ||
| # or more contributor license agreements. See the NOTICE file | ||
| # distributed with this work for additional information | ||
| # regarding copyright ownership. The ASF licenses this file | ||
| # to you under the Apache License, Version 2.0 (the | ||
| # "License"); you may not use this file except in compliance | ||
| # with the License. You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| apiVersion: cert-manager.io/v1alpha2 | ||
| kind: Issuer | ||
| metadata: | ||
| name: ca-issuer | ||
| spec: | ||
| ca: | ||
| secretName: ca-key-pair |
241 changes: 241 additions & 0 deletions
241
docs/en/latest/practices/manage-certificates-with-cert-manager.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,241 @@ | ||
| --- | ||
| title: Manage Certificates With Cert Manager | ||
| --- | ||
|
|
||
| <!-- | ||
| # | ||
| # Licensed to the Apache Software Foundation (ASF) under one or more | ||
| # contributor license agreements. See the NOTICE file distributed with | ||
| # this work for additional information regarding copyright ownership. | ||
| # The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with | ||
| # the License. You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| # | ||
| --> | ||
|
|
||
| This tutorial will detail how to manage secrets of ApisixTls using cert-manager. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| * Prepare an available Kubernetes cluster in your workstation, we recommend you to use [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/) to create a local Kubernetes cluster. | ||
| * Install Apache APISIX in Kubernetes by [Helm Chart](https://github.com/apache/apisix-helm-chart). | ||
| * Install [apisix-ingress-controller](https://github.com/apache/apisix-ingress-controller/blob/master/install.md). | ||
| * Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install). | ||
|
|
||
| In this guide, we assume that your APISIX is installed with `ssl` enabled, which is not enabled by default in the Helm Chart. To enable it, you need to set `gateway.tls.enabled=true` during installation. | ||
|
|
||
| For example, you could install APISIX and APISIX ingress controller by running: | ||
|
|
||
| ```bash | ||
| helm install apisix apisix/apisix --set gateway.type=NodePort --set ingress-controller.enabled=true --set gateway.tls.enabled=true | ||
| ``` | ||
|
|
||
| Assume that the SSL port is `9443`. | ||
|
|
||
| ## Create Issuer | ||
|
|
||
| For testing purposes, we will use a simple CA issuer. All required files can be found [here](./cert-manager). | ||
|
|
||
| To create a CA issuer, use the following commands: | ||
|
|
||
| ```bash | ||
| kubectl apply -f ./cert-manager/ca.yaml | ||
| kubectl apply -f ./cert-manager/issuer.yaml | ||
| ``` | ||
|
|
||
| If the cert-manager is working correctly, we should be able to see the Ready status by running: | ||
|
|
||
| ```bash | ||
| kubectl get issuer | ||
| ``` | ||
|
|
||
| It should output: | ||
|
|
||
| ```text | ||
| NAME READY AGE | ||
| ca-issuer True 50s | ||
| ``` | ||
|
|
||
| ## Create Certificate | ||
|
|
||
| Before creating ApisixTls, we should create a `Certificate` resource. | ||
|
|
||
| ```yaml | ||
| apiVersion: cert-manager.io/v1 | ||
| kind: Certificate | ||
| metadata: | ||
| name: demo-cert | ||
| spec: | ||
| dnsNames: | ||
| - local.httpbin.org | ||
| issuerRef: | ||
| kind: Issuer | ||
| name: ca-issuer | ||
| secretName: example-cert | ||
| usages: | ||
| - digital signature | ||
| - key encipherment | ||
| renewBefore: 0h55m0s | ||
| duration: 1h0m0s | ||
| ``` | ||
|
|
||
| Note that we set the parameters `duration` and `renewBefore`. We want to test if the certificate rotation functionality is working well, so a shorter renewal time will help. | ||
|
|
||
| Like `Issuer`, we could see its readiness status by running: | ||
|
|
||
| ```bash | ||
| kubectl get certificate | ||
| ``` | ||
|
|
||
| It should output: | ||
|
|
||
| ```text | ||
| NAME READY SECRET AGE | ||
| demo-cert True example-cert 50s | ||
| ``` | ||
|
|
||
| Check the secrets by running: | ||
|
|
||
| ```bash | ||
| kubectl get secret | ||
| ``` | ||
|
|
||
| It should output: | ||
|
|
||
| ```text | ||
| NAME TYPE DATA AGE | ||
| example-cert kubernetes.io/tls 3 2m20s | ||
| ``` | ||
|
|
||
| This means that our cert-manager is working properly. | ||
|
|
||
| ## Create Test Service | ||
|
|
||
| We use [kennethreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin/) as the service image. | ||
|
|
||
| Deploy it by running: | ||
|
|
||
| ```bash | ||
| kubectl run httpbin --image kennethreitz/httpbin --expose --port 80 | ||
| ``` | ||
|
|
||
| ## Route the Service | ||
|
|
||
| Create an ApisixRoute to route the service: | ||
|
|
||
| ```yaml | ||
| apiVersion: apisix.apache.org/v2beta1 | ||
| kind: ApisixRoute | ||
| metadata: | ||
| name: httpserver-route | ||
| spec: | ||
| http: | ||
| - name: httpbin | ||
| match: | ||
| hosts: | ||
| - local.httpbin.org | ||
| paths: | ||
| - "/*" | ||
| backend: | ||
| serviceName: httpbin | ||
| servicePort: 80 | ||
| ``` | ||
|
|
||
| Run curl command in a APISIX pod to see if the routing configuration works. | ||
|
|
||
| ```bash | ||
| kubectl -n <APISIX_NAMESPACE> exec -it <APISIX_POD_NAME> -- curl http://127.0.0.1:9080/ip -H 'Host: local.httpbin.org' | ||
| ``` | ||
|
|
||
| It should output: | ||
|
|
||
| ```json | ||
| { | ||
| "origin": "127.0.0.1" | ||
| } | ||
| ``` | ||
|
|
||
| ## Secure the Route | ||
|
|
||
| Create an ApisixTls to secure the route, referring to the secret created by cert-manager: | ||
|
|
||
| ```yaml | ||
| apiVersion: apisix.apache.org/v1 | ||
| kind: ApisixTls | ||
| metadata: | ||
| name: example-tls | ||
| spec: | ||
| hosts: | ||
| - local.httpbin.org | ||
| secret: | ||
| name: example-cert # the secret created by cert-manager | ||
| namespace: default # secret namespace | ||
| ``` | ||
|
|
||
| Run curl command in a APISIX pod to see if the Ingress and TLS configuration are working. | ||
|
|
||
| ```bash | ||
| kubectl -n <APISIX_NAMESPACE> exec -it <APISIX_POD_NAME> -- curl --resolve 'local.httpbin.org:9443:127.0.0.1' "https://local.httpbin.org:9443/ip" -k | ||
| ``` | ||
|
|
||
| It should output: | ||
|
|
||
| ```json | ||
| { | ||
| "origin": "127.0.0.1" | ||
| } | ||
| ``` | ||
|
|
||
| ## Test Certificate Rotation | ||
|
|
||
| To verify certificate rotation, we can add a verbose parameter `-v` to curl command: | ||
|
|
||
| ```bash | ||
| kubectl -n <APISIX_NAMESPACE> exec -it <APISIX_POD_NAME> -- curl --resolve 'local.httpbin.org:9443:127.0.0.1' "https://local.httpbin.org:9443/ip" -k -v | ||
| ``` | ||
|
|
||
| The verbose option will show us the handshake log, which also contains the certificate information. | ||
|
|
||
| Example output: | ||
|
|
||
| ```text | ||
| * Added local.httpbin.org:9443:127.0.0.1 to DNS cache | ||
| * Hostname local.httpbin.org was found in DNS cache | ||
| * Trying 127.0.0.1:9443... | ||
| * Connected to local.httpbin.org (127.0.0.1) port 9443 (#0) | ||
| ... | ||
| ... | ||
| * Server certificate: | ||
| * subject: [NONE] | ||
| * start date: Sep 16 00:14:55 2021 GMT | ||
| * expire date: Sep 16 01:14:55 2021 GMT | ||
| * issuer: C=CN; ST=Zhejiang; L=Hangzhou; O=APISIX-Test-CA_; OU=APISIX_CA_ROOT_; CN=APISIX.ROOT_; emailAddress=test@test.com | ||
| ``` | ||
|
|
||
| We could see the start date and expiration date of the server certificate. | ||
|
|
||
| Since the `Certificate` we defined requires the cert-manager to renew the cert every 5 minutes, we should be able to see the changes to the server certificate after 5 minutes. | ||
|
|
||
| ```text | ||
| * Added local.httpbin.org:9443:127.0.0.1 to DNS cache | ||
| * Hostname local.httpbin.org was found in DNS cache | ||
| * Trying 127.0.0.1:9443... | ||
| * Connected to local.httpbin.org (127.0.0.1) port 9443 (#0) | ||
| ... | ||
| ... | ||
| * Server certificate: | ||
| * subject: [NONE] | ||
| * start date: Sep 16 00:19:55 2021 GMT | ||
| * expire date: Sep 16 01:19:55 2021 GMT | ||
| * issuer: C=CN; ST=Zhejiang; L=Hangzhou; O=APISIX-Test-CA_; OU=APISIX_CA_ROOT_; CN=APISIX.ROOT_; emailAddress=test@test.com | ||
| ``` | ||
|
|
||
| The certificate was rotated as expected. |
Oops, something went wrong.