Cert-manager Integration with Let's Encrypt
GoodData.CN ready for Kubernetes will be published during May 2021. Stay tuned and watch
GoodData Developers website.
TODO - these pages need to be revisited and updated after TLS and Organizations updates.
If you decide to use automatically managed TLS certificates, you can install cert-manager and configure according to your requirements. Follow cert-manager documentation for details specific to your environment. In this example, we will show you how to get free TLS certificate from non-profit Let’s Encrypt Certificate Authority.
- Add CAA record to your DNS domain
company.com. CAA 0 issue "letsencrypt.org"
- Create namespace and install cert-manager. Please make sure you’re using Helm version 3.3.1 to avoid bug with deeply nested CRDs.
$ helm repo add jetstack https://charts.jetstack.io $ helm --namespace cert-manager install cert-manager \ jetstack/cert-manager --set installCRDs=true \ --create-namespace
- Configure ClusterIssuer
Prepare configuration of ACME issuer pointing to Let’s Encrypt API into file
issuer-letsencrypt-production.yaml. Don’t forget to set
# File issuer-letsencrypt-production.yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-production spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: ENTER-YOUR-EMAIL-HERE privateKeySecretRef: name: letsencrypt-production solvers: - http01: ingress: class: nginx
Apply configuration using command:
$ kubectl -n cert-manager apply -f issuer-letsencrypt-production.yaml
- Pay attention to the following configuration options of the GoodData.CN Helm Chart in the upcoming steps as these
are closely related to the usage of
The Issuer configuration example above uses HTTP-01 challenge solver. It means that the ingress controller must be reacheable from the Internet. If this is not an option, configure and use
DNS-01 solver instead.