content/posts/2021/2021-09-23-dns-01-challenge-wildcard-cert-kubernetes.md

@@ -168,4 +168,152 @@ What happens now?
 Let’s Encrypt detects a Certificate Request, and makes the request to the servers
 It uses the webhook to create a TXT DNS entry, here it’s : _acme-challenge.scw.vrchr.fr
 The server will check the DNS entry, and validate the request. Be patient, DNS propagation can be long…
-The certificate is now created, and a secret is now in you cluster!
\ No newline at end of file
+The certificate is now created, and a secret is now in you cluster!
+
+
+![TLS Certificate stored in secrets](/2021/09/2021-09-23-secrets-wildcard.png)
+
+### Application deployment
+
+OK! We have now a wildcard certificate automatically managed, so let’s use it!
+
+We create a simple deployment, expose the application, and create an ingress rule. The important configuration is in the ingress, which specify which TLS certificate to use.
+We don’t need to add specific annotation for the ingress controller, as the wildcard certificate is already created and managed by the previous CRD.
+As we have created a wildcard, every FQDN matching the wildcard will be valid:
+
+```yaml
+[...]
+spec:
+  tls:
+  - hosts:
+    - "*.scw.vrchr.fr" 
+    secretName: wildcard-scw-vrchr-fr-tls
+[...]
+```
+
+Here is the complete deployment, using the [jpetazzo/webcolor](https://hub.docker.com/r/jpetazzo/webcolor) application to expose different colors.
+
+**Deployment & Service example**:
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: green
+spec:
+  selector:
+    matchLabels:
+      app: green
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: green
+    spec:
+      containers:
+      - image: jpetazzo/webcolor
+        name: webcolor
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: green
+spec:
+  ports:
+  - port: 8000
+    targetPort: 8000
+  selector:
+    app: green
+```
+
+**Ingress**:
+
+```yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: color-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  tls:
+  - hosts:
+    - "*.scw.vrchr.fr" 
+    secretName: wildcard-scw-vrchr-fr-tls
+  rules:
+  - host: green.scw.vrchr.fr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: green
+            port:
+              number: 8000
+  - host: purple.scw.vrchr.fr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: purple
+            port:
+              number: 8000
+  - host: yellow.scw.vrchr.fr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: yellow
+            port:
+              number: 8000
+```
+
+```shell
+$ kubectl apply -f dep_green.yaml
+$ kubectl apply -f wildcard_tls_ingress.yaml
+```
+
+Now, accessing to https://green.scw.vrchr.fr would present a wildcard certificate!
+
+![Green Page](/2021/09/2021-09-23-dns-green.png)
+
+![Yellow Page](/2021/09/2021-09-23-dns-yellow.png)
+
+![Wildcard Certificate](/2021/09/2021-09-23-dns-cert.png)
+
+## Conclusion and Remarks
+
+We have seen here how to:
+
+- Deploy a Kubernetes Cluster on Scaleway using Terraform
+- Deploy Cert Manager and Nginx using Helm chart in Terraform
+- Deploy Scaleway DNS Webhook
+- Request a Wildcard Certificate using the DNS-01 protocol
+- Deploy an application in a subdomain, using a ingress rule presenting the wildcard DNS
+
+Now you can deploy many sub-application as we want, all using the same wildcard TLS certificates. For the comprehensive read, I deployed applications in the same namespace, please feel free to read cert-manager docs if you want to share certificates across multiples NS.
+
+Note that I could use another cloud provider, but I like experiment french ones ;)
+
+Finally, You can find code example in my GitLab repository, here : https://gitlab.com/rverchere/vrchr-k8s-dns-demo
+
+And remember, it’s always DNS!
+
+![DNS Haiku](/2021/09/2021-09-23-dns-01.jpg)
+
+## References
+
+These resources were very useful to understand these concepts and write my article:
+
+- https://particule.io/blog/scaleway-cert-manager/
+- https://www.youtube.com/watch?v=OvxSk5YVvII&t=1366s
+- https://cert-manager.io
+- https://registry.terraform.io/providers/scaleway/scaleway/latest