[Kubernetes] ArgoCD 설치 및 Let's Encrypt를 통한 HTTPS 적용

Overview

• Kubernetes Cluster, Let's Encrypt 그리고 무료 도메인을 통한 HTTPS 적용을 진행해보겠습니다.

 

Prerequisite

• Kubernetes Cluster 구축
  • [Rancher] Kubernetes 클러스터 구축

 

Cert Manager 설치

// https://cert-manager.io/docs/installation/
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml

// 확인
$ kubectl get all -n cert-manager

 

Cluster Issuer 설치

// Cluster 레벨의 Issuer는 별도의 Namespace가 필요하지 않습니다.
// Issuer가 secret을 발행합니다.
// Production 환경
$ vi letsencrypt-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: 이메일 입력
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx

// Staging 환경
$ vi letsencrypt-staging.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: 이메일 입력
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx
            
$ kubectl apply -f letsencrypt-prod.yaml
$ kubectl apply -f letsencrypt-staging.yaml

// 확인
$ kubectl get ClusterIssuer

 

ArgoCD 설치

// Namespace 생성
$ kubectl create namespace argocd

// ArgoCD 설치
$ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

// ArgoCD 삭제
$ kubectl delete -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

// 확인
$ kubectl get all -n argocd

// https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
$ vi argocd-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    # If you encounter a redirect loop or are getting a 307 response code
    # then you need to force the nginx ingress to connect to the backend using HTTPS.
    #
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: nginx
  rules:
  - host: argocd.{Public IP}.nip.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              name: https
  tls:
  - hosts:
    - argocd.{Public IP}.nip.io
    secretName: argocd-server-tls # as expected by argocd-server

$ kubectl apply -f argocd-ingress.yaml

// Cluster Issuer가 'argocd-server-tls' secret을 생성한 것을 확인
// Type이 kubernetes.io/tls이면 정상
$ kubectl get secret -n argocd
NAME                          TYPE                DATA   AGE
argocd-initial-admin-secret   Opaque              1      13m
argocd-notifications-secret   Opaque              0      13m
argocd-redis                  Opaque              1      13m
argocd-secret                 Opaque              5      13m
argocd-server-tls             kubernetes.io/tls   2      42s

// 웹 브라우저 'argocd.{Public IP}.nip.io'에 접속 후 확인
// 아이디: admin / 초기 비밀번호는 아래 명령어로 확인
$ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

 

HTTPS 인증서 (Let's Encrypt) 자동 갱신

Let's Encrypt는 기본적으로 3개월 마다 갱신을 해주어야 합니다. 하지만, Cert Manager가 자동으로 갱신을 해주므로 신경쓰지 않아도 괜찮습니다.