{"id":6034,"date":"2019-05-03T06:19:17","date_gmt":"2019-05-02T21:19:17","guid":{"rendered":"http:\/\/blog.jansnap.com\/?p=6034"},"modified":"2021-12-15T01:46:00","modified_gmt":"2021-12-14T16:46:00","slug":"azure%20kubernetes%20serviceaks%e3%81%ablets%20encrypt%e3%81%aessl%e8%a8%bc%e6%98%8e%e6%9b%b8%e3%82%92%e5%85%a5%e3%82%8c%e3%82%8b","status":"publish","type":"post","link":"https:\/\/blog.jansnap.com\/?p=6034","title":{"rendered":"Azure Kubernetes Service(AKS)\u306bLet&#8217;s Encrypt\u306eSSL\u8a3c\u660e\u66f8\u3092\u5165\u308c\u308b"},"content":{"rendered":"\n<h2><span class=\"ez-toc-section\" id=\"%E5%85%83%E3%83%8D%E3%82%BF\"><\/span>\n\u5143\u30cd\u30bf<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/ja-jp\/azure\/aks\/ingress-static-ip\" rel=\"nofollow noopener\" target=\"_blank\">Azure Kubernetes Service (AKS) \u306e\u9759\u7684\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u3092\u4f7f\u7528\u3057\u3066\u30a4\u30f3\u30b0\u30ec\u30b9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u4f5c\u6210\u3059\u308b<\/a><\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E6%BA%96%E5%82%99\"><\/span>\n\u6e96\u5099<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<a href=\"https:\/\/qiita.com\/jansnap\/items\/7bb4ff67ef5dc3630069\" id=\"reference-20def088c94e96d1b765\">Azure Kubernetes Service(AKS)\u3092\u4f7f\u3063\u3066\u3001K8s\u30af\u30e9\u30b9\u30bf\u3092\u4f5c\u6210\u3059\u308b\n<\/a>\n\n<ul>\n<li>Helm\u3092\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u5165\u308c\u3066\u3001\u30b5\u30fc\u30d0\u5074\u306btiller\u3092\u5165\u308c\u308b\u3068\u3053\u308d\u307e\u3067\u3002\n\n<ul>\n<li>RBAC \u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u30af\u30e9\u30b9\u30bf\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E6%B3%A8%E6%84%8F\"><\/span>\n\u6ce8\u610f<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\u9759\u7684\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u306f\u3001\u304a\u91d1\u304c\u304b\u304b\u308b\n\n<ul>\n<li>\n<a href=\"https:\/\/azure.microsoft.com\/ja-jp\/pricing\/details\/ip-addresses\/\" rel=\"nofollow noopener\" target=\"_blank\">\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u306e\u6599\u91d1<\/a>\u306e\u30da\u30fc\u30b8\u3092\u53c2\u7167\u3002\n\n<ul>\n<li>\u6700\u521d\u306e 5 \u3064\u306f0.5\u5186\/\u6642\u9593\u3050\u3089\u3044(2019-04-29\u73fe\u5728)\u30020.5\u5186*24\u6642\u9593*30.5\u65e5=366\u5186\/\u6708\u3050\u3089\u3044\u304b\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>AKS \u30af\u30e9\u30b9\u30bf\u30fc\u3092\u524a\u9664\u3059\u308b\u3068\u3001\u9759\u7684\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u3082\u89e3\u653e\u3055\u308c\u3066\u6d88\u3048\u3066\u3057\u307e\u3046\u306e\u3067\u6ce8\u610f\u3002<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E9%9D%99%E7%9A%84IP%E3%82%A2%E3%83%89%E3%83%AC%E3%82%B9%E3%82%92%E5%8F%96%E5%BE%97%E3%81%99%E3%82%8B\"><\/span>\n\u9759\u7684IP\u30a2\u30c9\u30ec\u30b9\u3092\u53d6\u5f97\u3059\u308b<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<p>AKS \u30af\u30e9\u30b9\u30bf\u30fc\u306e\u30ea\u30bd\u30fc\u30b9 \u30b0\u30eb\u30fc\u30d7\u540d\u3092\u53d6\u5f97<\/p>\n\n<ul>\n<li> <code>AKS_NODE_RES_GROUP=`az aks show --resource-group $AKS_RES_GROUP --name $AKS_CLUSTER_NAME --query nodeResourceGroup -o tsv`<\/code>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u9759\u7684\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u3092\u4f5c\u6210<\/p>\n\n<ul>\n<li>\n<code>az network public-ip create --resource-group $AKS_NODE_RES_GROUP --name myAKSPublicIP --allocation-method static<\/code>\n\n<ul>\n<li>\u4e0a\u8a18\u3067\u306f\u540d\u524d\u3092<code>myAKSPublicIP<\/code>\u306b\u3057\u3066\u3044\u308b\u304c\u3001\u9069\u5b9c\u5909\u66f4\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u4f5c\u6210\u3057\u305f\u9759\u7684\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u3092\u78ba\u8a8d<\/p>\n\n<ul>\n<li>\n<code>az network public-ip list --query [].ipAddress<\/code>\n\n<ul>\n<li>\u8907\u6570\u3042\u308b\u5834\u5408\u306f\u3001\u5f8c\u3005\u306e\u8a2d\u5b9a\u3067\u30cf\u30de\u308b\u306e\u3067\u3001\u30dd\u30fc\u30bf\u30eb\u304b\u3089\u300c\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9 \u300d\u3067\u63a2\u3057\u3066\u524a\u9664\u3059\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n<li><code>PUBLIC_IP_ADDRESS=`az network public-ip list --query [].ipAddress -o tsv`<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"nginx-ingress_%E3%82%92IP%E3%82%A2%E3%83%89%E3%83%AC%E3%82%B9%E6%8C%87%E5%AE%9A%E3%81%A7%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB\"><\/span>\nnginx-ingress \u3092IP\u30a2\u30c9\u30ec\u30b9\u6307\u5b9a\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\n\n<ul>\n<li>namespace\u3092<code>kube-system<\/code>\u306b\u3057\u3066\u3044\u308b\u3002\u30b5\u30f3\u30d7\u30eb\u306b\u3088\u3063\u3066\u306f<code>kube-public<\/code>\u306b\u3057\u3066\u3044\u308b\u5834\u5408\u3082\u3042\u308b\u306e\u3067\u6ce8\u610f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">helm install stable\/nginx-ingress \\\n    --namespace kube-system \\\n    --set controller.service.loadBalancerIP=$PUBLIC_IP_ADDRESS<\/code><\/pre>\n\n\n\n<ul>\n<li>\u30d1\u30d6\u30ea\u30c3\u30afIP\u3092\u78ba\u8a8d\n\n<ul>\n<li>\n<code>kubectl get service -l app=nginx-ingress --namespace kube-system<\/code>\n\n<ul>\n<li>\n<code>EXTERNAL-IP<\/code>\u304c<code><pending><\/code>\u306e\u5834\u5408\u306f\u3001\u5c11\u3057\u5f85\u3064\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">NAME                                             TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE\nexcited-starfish-nginx-ingress-controller        LoadBalancer   10.0.14.43     40.115.xxx.xxx   80:30202\/TCP,443:31925\/TCP   1m\nexcited-starfish-nginx-ingress-default-backend   ClusterIP      10.0.121.158   <none>          80\/TCP                       1m<\/none><\/code><\/pre>\n\n\n\n<ul>\n<li>\u30d6\u30e9\u30a6\u30b6\u3067\u3001\u4e0a\u8a18\u306e40.115.xxx.xxx\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\n\n<ul>\n<li>\n<code>default backend - 404<\/code>\u306e\u3088\u3046\u306b\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u306e404\u30da\u30fc\u30b8\u304c\u8868\u793a\u3055\u308c\u308b(\u8d77\u52d5\u306b\u6570\u5206\u304b\u304b\u308b\u306e\u3067\u5f85\u3064)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"DNS%E4%B8%8A%E3%81%AE%E5%90%8D%E5%89%8D%E3%82%92%E6%B1%BA%E3%82%81%E3%81%A6%E3%80%81%E8%A8%AD%E5%AE%9A\"><\/span>\nDNS\u4e0a\u306e\u540d\u524d\u3092\u6c7a\u3081\u3066\u3001\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li><code>DNSNAME=\"my-aks-ingress-test123\"<\/code><\/li>\n<li><code>PUBLICIPID=$(az network public-ip list --query \"[?ipAddress!=null]|[?contains(ipAddress, '$PUBLIC_IP_ADDRESS')].[id]\" --output tsv)<\/code><\/li>\n<li><p><code>az network public-ip update --ids $PUBLICIPID --dns-name $DNSNAME<\/code><\/p><\/li>\n<li>\n<p>\u3053\u308c\u3067FQDN\u3092\u4f7f\u3063\u3066\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u306e\u3067\u3001\u30d6\u30e9\u30a6\u30b6\u3067\u958b\u3044\u3066\u78ba\u8a8d\u3059\u308b<\/p>\n\n<ul>\n<li>\n<a href=\"http:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\/\" class=\"autolink\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\/<\/a>\n\n<ul>\n<li>\n<code>default backend - 404<\/code>\u304c\u51fa\u308c\u3070OK\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"cert-manager_%E3%82%92%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB\"><\/span>\ncert-manager \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>Let\u2019s Encrypt \u8a3c\u660e\u66f8\u3092\u81ea\u52d5\u7684\u306b\u4f5c\u6210\u304a\u3088\u3073\u7ba1\u7406\u3059\u308b\u6a5f\u80fd\u3092\u63d0\u4f9b\u3059\u308b <code>cert-manager<\/code> \u3092\u5165\u308c\u308b\n\n<ul>\n<li>0.7.2\u304c\u51fa\u3066\u3044\u308b\u306e\u3067\u30010.6\u3067\u306f\u306a\u304f0.7\u3092\u4f7f\u3046\u3002\n\n<ul>\n<li><code>kubectl apply -f https:\/\/raw.githubusercontent.com\/jetstack\/cert-manager\/release-0.7\/deploy\/manifests\/00-crds.yaml<\/code><\/li>\n<\/ul>\n<\/li>\n<li>cert-manager\u7528\u306b\u540d\u524d\u7a7a\u9593\u3092\u4f5c\u6210(<code>kube-system<\/code>\u3067\u306f\u306a\u304f<code>cert-manager<\/code>\u3068\u3044\u3046\u540d\u524d\u7a7a\u9593\u306b\u5165\u308c\u308b)\n\n<ul>\n<li><code>kubectl create namespace cert-manager<\/code><\/li>\n<li>\n<code>kubectl label namespace cert-manager certmanager.k8s.io\/disable-validation=true<\/code>\n\n<ul>\n<li>\n<code>disable-validation=true<\/code>\u3092\u4ed8\u3051\u306a\u3044\u3068\u767a\u884c\u8005\u304c\u4e0d\u660e\u306b\u306a\u3063\u3066\u8a3c\u660e\u66f8\u304c\u4f5c\u6210\u3055\u308c\u306a\u3044\uff1f\uff1f<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>helm\u3092\u4f7f\u3063\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b(<a href=\"https:\/\/github.com\/jetstack\/cert-manager\/releases\" rel=\"nofollow noopener\" target=\"_blank\">GitHub\u306ecert-manager\u306e\u30da\u30fc\u30b8<\/a> \u3092\u898b\u308b\u30680.7.2\u304c\u6700\u65b0\u306a\u306e\u3067\u30d0\u30fc\u30b8\u30e7\u30f3\u6307\u5b9a\u3059\u308b\u969b\u306f\u78ba\u8a8d\u3059\u308b)\n\n<ul>\n<li><code>helm repo add jetstack https:\/\/charts.jetstack.io<\/code><\/li>\n<li><code>helm repo update<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">helm install \\\n  --name cert-manager \\\n  --namespace cert-manager \\\n  --version v0.7.2 \\\n  jetstack\/cert-manager<\/code><\/pre>\n\n\n\n<ul>\n<li>\n<del>\u672c\u756a\u74b0\u5883\u306e\u5834\u5408\u306f\u3001<code>--set ingressShim.extraArgs='{--default-issuer-name=letsencrypt-prod,--default-issuer-kind=ClusterIssuer}'<\/code>\u3082\u4ed8\u3051\u308b\u3002<\/del>\n\n<ul>\n<li>\u4e0b\u8a18\u306e\u4f8b\u3067\u306f\u540d\u524d\u7a7a\u9593<code>kube-system<\/code>\u306b\u5165\u308c\u3066\u3044\u308b<\/li>\n<li><del><code>webhook.enables=false<\/code> \u3092\u66f8\u304b\u306a\u3044\u3068\u8a3c\u660e\u66f8\u304c\u767a\u884c\u3055\u308c\u306a\u3044\u3068\u3044\u3046\u60c5\u5831\u3082\u3042\u308b\u306e\u3067\u8ffd\u8a18<\/del><\/li>\n<li>\n<code>stable\/cert-manager<\/code>\u3060\u3068\u3046\u307e\u304f\u3044\u304b\u306a\u304b\u3063\u305f\u306e\u3067<code>jetstack\/cert-manager<\/code>\u3092\u4f7f\u3063\u305f<\/li>\n<\/ul>\n<\/li>\n<li>\u4e0a\u8a18\u3067\u8a3c\u660e\u66f8\u3092\u5165\u308c\u3089\u308c\u305f\u306e\u3067\u3001\u4e0b\u8a18\u306f\u53c2\u8003\u3002<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">helm install jetstack\/cert-manager \\\n  --name cert-manager \\\n  --namespace kube-system \\\n  --set ingressShim.defaultIssuerName=letsencrypt-prod \\\n  --set ingressShim.defaultIssuerKind=ClusterIssuer \\\n  --set webhook.enabled=false<\/code><\/pre>\n\n\n\n<ul>\n<li>\n<p>\u5165\u308c\u9593\u9055\u3048\u305f\u3089\u3001<code>helm delete --purge cert-manager<\/code>\u3067\u6d88\u3057\u3066\u5165\u308c\u76f4\u3057\u3002<\/p>\n\n<ul>\n<li>Error: customresourcedefinitions.apiextensions.k8s.io \u201ccertificates.certmanager.k8s.io\u201d already exists \u306e\u5834\u5408\u306f\u3001<code>kubectl delete -f https:\/\/raw.githubusercontent.com\/jetstack\/cert-manager\/release-0.7\/deploy\/manifests\/00-crds.yaml<\/code> \u3067\u6d88\u3059<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u3053\u308c\u3060\u3051\u3067(\u4fe1\u983c\u3055\u308c\u306a\u3044)\u8a3c\u660e\u66f8\u304c\u767a\u884c\u3055\u308c\u308b\u306e\u3067\u3001\u30d6\u30e9\u30a6\u30b6\u3067HTTPS\u3067\u63a5\u7d9a\u3057\u3066\u78ba\u8a8d\u3059\u308b<\/p>\n\n<ul>\n<li>\n<a href=\"https:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\/\" class=\"autolink\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\/<\/a>\n\n<ul>\n<li>\u4fe1\u983c\u3055\u308c\u306a\u3044\u8a3c\u660e\u66f8\u306e\u8b66\u544a\u304c\u3067\u308b\u306e\u3067\u3001\u9069\u5b9c\u30b9\u30eb\u30fc\u3059\u308b<\/li>\n<li>Common Name\u306f<code>Kubernetes Ingress Controller Fake Certificate<\/code>\u306b\u306a\u308b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"CA_%E3%82%AF%E3%83%A9%E3%82%B9%E3%82%BF%E3%83%BC%E7%99%BA%E8%A1%8C%E8%80%85%E3%82%92%E4%BD%9C%E6%88%90\"><\/span>\nCA \u30af\u30e9\u30b9\u30bf\u30fc\u767a\u884c\u8005\u3092\u4f5c\u6210<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<code>cluster-issuer.yaml<\/code>\u30d5\u30a1\u30a4\u30eb\u3092\u4ee5\u4e0b\u306e\u5185\u5bb9\u3067\u4f5c\u6210<\/li>\n<li>\n<code>email<\/code>\u3092\u3001\u5b9f\u969b\u306e\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u306b\u5909\u66f4\u3059\u308b<\/li>\n<li>\u30c6\u30b9\u30c8\u7528\u306a\u306e\u3067\u3001<code>staging<\/code>\u3092\u4f7f\u7528\u3059\u308b\u3002\u672c\u756a\u74b0\u5883\u3067\u306f<code>letsencrypt-prod<\/code> \u3068 <code>https:\/\/acme-v02.api.letsencrypt.org\/directory<\/code> \u3092\u4f7f\u7528\u3059\u308b\n\n<ul>\n<li>\u30b5\u30fc\u30d0\u306fv01\u3067\u306f\u306a\u304fv02\u3092\u4f7f\u308f\u306a\u3044\u3068\u3001\u305a\u3063\u3068<code>Issuer letsencrypt-staging not ready<\/code>\u306e\u307e\u307e\u3067\u539f\u56e0\u304c\u5206\u304b\u308a\u3065\u3089\u3044\u3002\n\n<ul>\n<li>\n<code>kubectl describe clusterissuer letsencrypt-staging<\/code>\u3084<code>kubectl describe clusterissuer letsencrypt-prod<\/code>\u3067\u72b6\u6cc1\u3092\u78ba\u8a8d\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">apiVersion: certmanager.k8s.io\/v1alpha1\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-staging\n  #name: letsencrypt-prod\nspec:\n  acme:\n    server: https:\/\/acme-staging-v02.api.letsencrypt.org\/directory\n    #server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n    email: user@example.com\n    privateKeySecretRef:\n      name: letsencrypt-staging\n      #name: letsencrypt-prod\n    http01: {}<\/code><\/pre>\n\n\n\n<ul>\n<li>\n<code>kubectl apply -f cluster-issuer.yaml<\/code> \u3067\u9069\u7528\n\n<ul>\n<li>\n<code>Error from server (InternalError): error when creating \"cluster-issuer.yaml\": Internal error occurred: failed calling admission webhook \"clusterissuers.admission.certmanager.k8s.io\": the server is currently unable to handle the request<\/code> \u3068\u8868\u793a\u3055\u308c\u305f\u3089\u3001\u3057\u3070\u3089\u304f\u5f85\u3063\u3066\u3082\u3046\u4e00\u5ea6\u884c\u3046<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E3%83%87%E3%83%A2_%E3%82%A2%E3%83%97%E3%83%AA%E3%82%92%E5%85%A5%E3%82%8C%E3%82%8B\"><\/span>\n\u30c7\u30e2 \u30a2\u30d7\u30ea\u3092\u5165\u308c\u308b<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\u30c7\u30d5\u30a9\u30eb\u30c8\u306e404\u30da\u30fc\u30b8\u3067\u52d5\u4f5c\u78ba\u8a8d\u3057\u3088\u3046\u3068\u3057\u3066\u306f\u307e\u3063\u305f\u306e\u3067\u3001\u30c7\u30e2 \u30a2\u30d7\u30ea\u3092\u5165\u308c\u308b\n\n<ul>\n<li><code>helm repo add azure-samples https:\/\/azure-samples.github.io\/helm-charts\/<\/code><\/li>\n<li><code>helm install azure-samples\/aks-helloworld --namespace ingress-basic<\/code><\/li>\n<li><code>helm list --namespace ingress-basic<\/code><\/li>\n<li><code>helm install azure-samples\/aks-helloworld  --namespace ingress-basic  --set title=\"AKS Ingress Demo\"  --set serviceName=\"ingress-demo\"<\/code><\/li>\n<li><code>helm list --namespace ingress-basic<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E3%82%A4%E3%83%B3%E3%82%B0%E3%83%AC%E3%82%B9_%E3%83%AB%E3%83%BC%E3%83%88%E3%82%92%E4%BD%9C%E6%88%90\"><\/span>\n\u30a4\u30f3\u30b0\u30ec\u30b9 \u30eb\u30fc\u30c8\u3092\u4f5c\u6210<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<code>hello-world-ingress.yaml<\/code> \u3092\u4ee5\u4e0b\u3067\u4f5c\u6210<\/li>\n<li>\n<code>hosts<\/code>\u3084<code>host<\/code>\u306f\u81ea\u5206\u306e\u30db\u30b9\u30c8\u540d\u306b\u5909\u66f4\u3059\u308b<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">apiVersion: extensions\/v1beta1\nkind: Ingress\nmetadata:\n  name: hello-world-ingress\n  namespace: ingress-basic\n  annotations:\n    kubernetes.io\/ingress.class: nginx\n    certmanager.k8s.io\/cluster-issuer: letsencrypt-prod\n    nginx.ingress.kubernetes.io\/rewrite-target: \/\nspec:\n  tls:\n  - hosts:\n    - my-aks-ingress-test123.japaneast.cloudapp.azure.com\n    secretName: tls-secret\n  rules:\n  - host: my-aks-ingress-test123.japaneast.cloudapp.azure.com\n    http:\n      paths:\n      - path: \/\n        backend:\n          serviceName: aks-helloworld\n          servicePort: 80\n      - path: \/hello-world-two\n        backend:\n          serviceName: ingress-demo\n          servicePort: 80<\/code><\/pre>\n\n\n\n<ul>\n<li>\n<code>kubectl apply -f hello-world-ingress.yaml<\/code>\u3067\u9069\u7528<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E7%A2%BA%E8%AA%8D\"><\/span>\n\u8a3c\u660e\u66f8\u306e\u78ba\u8a8d<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<p>\u4e0a\u8a18\u3067\u81ea\u52d5\u7684\u306b\u8981\u6c42\u3055\u308c\u308b<\/p>\n\n<ul>\n<li><code>kubectl describe certificate tls-secret --namespace ingress-basic<\/code><\/li>\n<li><code>kubectl describe certificate tls-secret<\/code><\/li>\n<li>\n<code>kubectl describe certificate<\/code> \u3067\u72b6\u6cc1\u78ba\u8a8d\n\n<ul>\n<li>\n<code>OrderCreated<\/code> \u304c\u7121\u3051\u308c\u3070\u3001<a href=\"https:\/\/cert-manager.readthedocs.io\/en\/latest\/reference\/certificates.html\" rel=\"nofollow noopener\" target=\"_blank\">cert-manager \u306e\u8a3c\u660e\u66f8\u306b\u3064\u3044\u3066\u306e\u30da\u30fc\u30b8<\/a>\u3084<a href=\"https:\/\/cert-manager.readthedocs.io\/en\/latest\/reference\/orders.html\" rel=\"nofollow noopener\" target=\"_blank\">Orders<\/a>\u3092\u898b\u306a\u304c\u3089\u3001\u8a3c\u660e\u66f8\u3092\u8981\u6c42<\/li>\n<\/ul>\n<\/li>\n<li><code>kubectl describe order<\/code><\/li>\n<li>\u305a\u3063\u3068<code>Issuer letsencrypt-prod not ready<\/code>\u306e\u307e\u307e\u306e\u5834\u5408\u3001<code>kubectl describe clusterissuer letsencrypt-staging<\/code>\u3084<code>kubectl describe clusterissuer letsencrypt-prod<\/code>\u3067\u72b6\u6cc1\u3092\u78ba\u8a8d\u3002\n\n<ul>\n<li>\u5f15\u6570\u306f<code>cluster-issuer<\/code>\u3067\u306f\u306a\u304f<code>clusterissuer<\/code>\u306a\u306e\u3067\u6ce8\u610f<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><p><code>kubectl describe clusterissuer letsencrypt-prod<\/code> \u3067\u72b6\u614b\u304c\u8868\u793a\u3067\u304d\u308b<\/p><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">(\u7565)\nStatus:\n  Acme:\n    Uri:  https:\/\/acme-v02.api.letsencrypt.org\/acme\/acct\/56269408\n  Conditions:\n    Last Transition Time:  2019-05-02T07:29:25Z\n    Message:               The ACME account was registered with the ACME server\n    Reason:                ACMEAccountRegistered\n    Status:                True\n    Type:                  Ready\nEvents:                    <none><\/none><\/code><\/pre>\n\n\n\n<ul>\n<li>\n<code>kubectl describe certificate tls-secret --namespace ingress-basic<\/code> \u3067\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u30a4\u30d9\u30f3\u30c8\u8a73\u7d30\u304c\u8868\u793a\u3067\u304d\u308b<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">(\u7565)\nStatus:\n  Conditions:\n    Last Transition Time:  2019-05-02T07:29:51Z\n    Message:               Certificate is up to date and has not expired\n    Reason:                Ready\n    Status:                True\n    Type:                  Ready\n  Not After:               2019-07-31T06:29:50Z\nEvents:\n  Type     Reason              Age                    From          Message\n  ----     ------              ----                   ----          -------\n  Warning  IssuerNotFound      3m44s                  cert-manager  clusterissuer.certmanager.k8s.io \"letsencrypt-prod\" not found\n  Warning  IssuerNotReady      3m28s (x3 over 7m31s)  cert-manager  Issuer letsencrypt-prod not ready\n  Normal   Generated           3m27s                  cert-manager  Generated new private key\n  Normal   GenerateSelfSigned  3m27s                  cert-manager  Generated temporary self signed certificate\n  Normal   OrderCreated        3m27s                  cert-manager  Created Order resource \"tls-secret-224255xxxx\"\n  Normal   OrderComplete       3m1s                   cert-manager  Order \"tls-secret-224255xxxx\" completed successfully\n  Normal   CertIssued          3m1s                   cert-manager  Certificate issued successfully<\/code><\/pre>\n\n\n\n<ul>\n<li>\n<p>\u30b9\u30c6\u30fc\u30bf\u30b9\u304c<code>Certificate issuance in progress. Temporary certificate issued.<\/code>\u306e\u5834\u5408\u306f\u3001\u3057\u3070\u3089\u304f\u5f85\u3064\u3002<\/p>\n\n<ul>\n<li>Temporary certificate\u304c\u767a\u884c\u3055\u308c\u3066\u304b\u3089\u3001\u672c\u7269\u306ecertificate\u304c\u767a\u884c\u3055\u308c\u308b\u3002\u3068\u3044\u3046\u9806\u756a\u306a\u306e\u3067\u3001\u30b9\u30c6\u30fc\u30bf\u30b9\u3067\u78ba\u8a8d\u3002<\/li>\n<\/ul>\n<\/li>\n<li><p>chrome\u306e\u958b\u767a\u8005\u30c4\u30fc\u30eb\u306eSecurity\u3067\u898b\u308b\u3068\u3001<code>Certificate - valid and trusted<br>\n<\/code> \u306e\u4e0b\u306b  <code>The connection to this site is using a valid, trusted server certificate issued by \u4e0d\u660e\u306a\u540d\u524d.<\/code>\u3068\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u304c\u3042\u308b\u3002\u5bfe\u51e6\u65b9\u6cd5\u4e0d\u660e\u3002<\/p><\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E3%83%96%E3%83%A9%E3%82%A6%E3%82%B6%E3%81%A7%E8%A1%A8%E7%A4%BA%E3%81%97%E3%81%A6%E3%80%81%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E7%A2%BA%E8%AA%8D\"><\/span>\n\u30d6\u30e9\u30a6\u30b6\u3067\u8868\u793a\u3057\u3066\u3001\u8a3c\u660e\u66f8\u306e\u78ba\u8a8d<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<a href=\"https:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\" class=\"autolink\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com<\/a> \u306e\u3088\u3046\u306b\u3001HTTPS\u3067\u3064\u306a\u3044\u3067\u3001\u8a3c\u660e\u66f8\u306e\u78ba\u8a8d\n\n<ul>\n<li>Common Name(CN)\u304c\u3001<code>my-aks-ingress-test123.japaneast.cloudapp.azure.com<\/code> \u306e\u3088\u3046\u306b\u3001 \u81ea\u5206\u306e\u30db\u30b9\u30c8\u540d\u306b\u306a\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\n<a href=\"https:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\/hello-world-two\" class=\"autolink\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/my-aks-ingress-test123.japaneast.cloudapp.azure.com\/hello-world-two<\/a> \u3067\u306f\u30012\u3064\u76ee\u306e\u30c7\u30e2\u30a2\u30d7\u30ea(\u753b\u50cf\u3068\u6587\u8a00\u304c\u5c11\u3057\u9055\u3046)\u304c\u8868\u793a\u3055\u308c\u308b<\/li>\n<\/ul>\n\n<h2><span class=\"ez-toc-section\" id=\"%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%82%AA%E3%83%96%E3%82%B8%E3%82%A7%E3%82%AF%E3%83%88%E3%82%92%E4%BD%9C%E6%88%90%E5%BF%85%E8%A6%81%E3%81%AB%E5%BF%9C%E3%81%98%E3%81%A6\"><\/span>\n\u8a3c\u660e\u66f8\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u4f5c\u6210(\u5fc5\u8981\u306b\u5fdc\u3058\u3066)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul>\n<li>\n<code>certificates.yaml<\/code>\u30d5\u30a1\u30a4\u30eb\u3092\u4ee5\u4e0b\u306e\u5185\u5bb9\u3067\u4f5c\u6210\u3002<\/li>\n<li>\n<code>dnsNames<\/code> \u3068 <code>domains<\/code> \u3092\u524d\u306e\u624b\u9806\u3067\u4f5c\u6210\u3057\u305f DNS \u540d\u306b\u5909\u66f4\u3059\u308b<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"text\" class=\"language-text\">apiVersion: certmanager.k8s.io\/v1alpha1\nkind: Certificate\nmetadata:\n  name: tls-secret\nspec:\n  secretName: tls-secret\n  dnsNames:\n  - my-aks-ingress-test123.japaneast.cloudapp.azure.com\n  acme:\n    config:\n    - http01:\n        ingressClass: nginx\n      domains:\n      - my-aks-ingress-test123.japaneast.cloudapp.azure.com\n  issuerRef:\n    name: letsencrypt-staging\n    #name: letsencrypt-prod\n    kind: ClusterIssuer<\/code><\/pre>\n\n\n\n<ul>\n<li>\n<code>kubectl apply -f certificates.yaml<\/code>\u3067\u9069\u7528\u3002<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/ja-jp\/azure\/aks\/ingress-static-ip\" rel=\"nofollow noopener\" target=\"_blank\">Azure Kubernetes Service (AKS) \u306e\u9759\u7684\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u3092\u4f7f\u7528\u3057\u3066\u30a4\u30f3\u30b0\u30ec\u30b9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u4f5c\u6210\u3059\u308b<\/a><\/li>\n<\/ul>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4185,4186,4187],"tags":[4182,4183,4184],"class_list":["post-6034","post","type-post","status-publish","format-standard","hentry","category-azure","category-kubernetes","category-letsencrypt","tag-azure","tag-kubernetes","tag-letsencrypt"],"_links":{"self":[{"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=\/wp\/v2\/posts\/6034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6034"}],"version-history":[{"count":0,"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=\/wp\/v2\/posts\/6034\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.jansnap.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}