diff options
| author | Vincent Ambo <tazjin@gmail.com> | 2016-09-25T23·23+0200 |
|---|---|---|
| committer | Vincent Ambo <tazjin@gmail.com> | 2016-09-25T23·23+0200 |
| commit | e514f9ecff7670fa5fd5f71ec483efd1060413a7 (patch) | |
| tree | 6b473e1505b60191dd7396126acb3c7a989edd3d | |
| parent | a02148d8325b3a9252c49235cf8592fc42c0df73 (diff) | |
[nginx] Use SAN certificates
Use SAN certificates from k8s LE controller 1.3
| -rw-r--r-- | nginx/conf/http.conf | 7 | ||||
| -rw-r--r-- | nginx/conf/main.conf | 4 | ||||
| -rw-r--r-- | nginx/nginx-svc.yaml | 3 | ||||
| -rw-r--r-- | nginx/nginx.yaml | 12 |
4 files changed, 6 insertions, 20 deletions
diff --git a/nginx/conf/http.conf b/nginx/conf/http.conf index d7995f54341b..404ebe38f67f 100644 --- a/nginx/conf/http.conf +++ b/nginx/conf/http.conf @@ -8,6 +8,7 @@ server { # Simple IP echo thing server { listen 80; + listen 443 ssl http2; server_name ip.tazj.in; access_log off; add_header "Content-Type" "text/plain"; @@ -27,9 +28,6 @@ server { listen 443 ssl http2; server_name git.tazj.in; - ssl_certificate /etc/nginx/ssl/git.tazj.in/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/git.tazj.in/key.pem; - location / { proxy_pass http://gogs-priv.default.svc.cluster.local:3000; } @@ -40,9 +38,6 @@ server { listen 443 ssl http2; server_name tazj.in; - ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem; - location / { return 301 https://www.tazj.in$request_uri; } diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf index 5041d1fcaf77..d5618545bd15 100644 --- a/nginx/conf/main.conf +++ b/nginx/conf/main.conf @@ -38,8 +38,8 @@ http { access_log /var/log/nginx/access.log logstash; # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) - ssl_certificate /etc/nginx/ssl/www.tazj.in/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/www.tazj.in/key.pem; + ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; diff --git a/nginx/nginx-svc.yaml b/nginx/nginx-svc.yaml index defe39355b68..84406a0bca44 100644 --- a/nginx/nginx-svc.yaml +++ b/nginx/nginx-svc.yaml @@ -6,7 +6,8 @@ metadata: labels: app: nginx annotations: - acme/certificate: "tazj.in" + acme/certificate: '["tazj.in", "www.tazj.in", "ip.tazj.in", "git.tazj.in"]' + acme/secretName: tazj.in-tls spec: type: LoadBalancer loadBalancerIP: 104.155.119.229 diff --git a/nginx/nginx.yaml b/nginx/nginx.yaml index 01391492ef97..3bce210ad539 100644 --- a/nginx/nginx.yaml +++ b/nginx/nginx.yaml @@ -19,10 +19,6 @@ spec: volumeMounts: - name: tazj-in-tls mountPath: /etc/nginx/ssl/tazj.in - - name: www-tazj-in-tls - mountPath: /etc/nginx/ssl/www.tazj.in - - name: git-tazj-in-tls - mountPath: /etc/nginx/ssl/git.tazj.in - name: nginx-dhparam mountPath: /etc/nginx/ssl/dhparam - name: nginx-config @@ -44,13 +40,7 @@ spec: volumes: - name: tazj-in-tls secret: - secretName: tazj-in-tls - - name: www-tazj-in-tls - secret: - secretName: www-tazj-in-tls - - name: git-tazj-in-tls - secret: - secretName: git-tazj-in-tls + secretName: tazj.in-tls - name: nginx-dhparam secret: secretName: nginx-dhparam |