Deploy the nginx-ingress controller through the Add-on Center in CCE.
For CCE Turbo clusters: A NAT gateway must be created for the node VPC network.
Add a DNS A record in Huawei Cloud DNS Hosting Service pointing to the public IP address of the LoadBalancer associated with the nginx-ingress controller.
Taking cert.example.com as an example, add DNS resolution configuration on any node:
kubectl -n kube-system edit configmap corednsReplace forward . /etc/resolv.conf with:
forward . 8.8.8.8 8.8.4.4
Then restart CoreDNS:
kubectl -n kube-system rollout restart deployment corednsVerify domain resolution:
host cert.example.comProceed if the domain resolves correctly.
The domain must be registered and filed according to regulations before resolution.
Install cert-manager:
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--version v1.9.1 --set installCRDs=true- Clone the NGINX Ingress GitHub repository:
git clone https://github.com/nginxinc/kubernetes-ingress.git- Navigate to examples:
cd ./kubernetes-ingress/examples/ingress-resources/complete-example- Deploy the NGINX Cafe example:
kubectl apply -f ./cafe.yaml- Create Huawei Cloud credentials secret:
kubectl create secret generic huaweicloud-secret --from-literal="accessKey=<Your-accessKey>" --from-literal="secretKey=<Your-secretKey>" -n cert-manager- Deploy the webhook:
git clone https://github.com/HuaweiCloudDeveloper/cert-manager-webhook-huawei
cd cert-manager-webhook-huawei
# Modify groupName in charts/huaweicloud-webhook/values.yaml to your actual domain
helm install cert-manager-webhook-huawei ./charts/huaweicloud-webhook -n cert-manager- Create ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt
solvers:
- dns01:
webhook:
groupName: example.com # Your domain
solverName: huawei
config:
accessKeyRef:
key: accessKey
name: huaweicloud-secret
regionId: ap-southeast-1 # Your region
secretKeyRef:
key: secretKey
name: huaweicloud-secret- Verify ClusterIssuer status:
kubectl get clusterissuerStatus should show Ready.
- Create Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issue-temporary-certificate: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- cert-manager.example.com # Your domain
secretName: cafe-secret
rules:
- host: cert-manager.example.com # Your domain
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80 - Verify certificate issuance:
kubectl get certificatesStatus should become Ready: True.
- Check certificate requests:
kubectl get certificaterequests.cert-manager.ioVerify Ready: True and Approved: True.
Validate using:
curl https://cert.example.com/tea
curl https://cert.example.com/coffee