← Về danh sách bài học Bài 13/25

🔒 Bài 13: TLS/SSL với Ingress

⏱️ Thời gian: 20 phút | 📚 Độ khó: Trung bình

🎯 Sau bài học này, bạn sẽ:

1. TLS Secret Thủ Công

# Tạo TLS secret từ certificate
kubectl create secret tls tls-secret \
    --cert=path/to/tls.crt \
    --key=path/to/tls.key
# Ingress với TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - myapp.example.com
      secretName: tls-secret
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web-service
                port:
                  number: 80

2. Cài cert-manager

# Cài cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

# Verify
kubectl get pods -n cert-manager

3. ClusterIssuer Let's Encrypt

# cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

4. Ingress Tự Động TLS

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: auto-tls-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - myapp.example.com
      secretName: myapp-tls    # cert-manager tự tạo
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web-service
                port:
                  number: 80
💡 cert-manager tự động:
• Xin certificate từ Let's Encrypt
• Tạo TLS Secret
• Renew trước khi hết hạn

📝 Tóm Tắt

← Bài 12: Ingress Bài 14: Network Policy →