starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/enable-public-use-of-the-cert-manager-acmesolver-image.rst
egoncalv 4dd4fa7463 Editorial updates - Admin Tasks, User tasks, and Updates and Upgrades Guides. 
Acted on Greg's comments

Patch 1: Acted on Greg's comments and added the missing files.

Patch 2: Solved merge conflicts

Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com>
Change-Id: I70c5d3b9c3927320f977b62878ee60ab9956fc91
2021-05-28 13:55:44 +00:00

2.6 KiB
Raw Blame History

Enable Public Use of the cert-manager-acmesolver Image

When an arbitrary non-admin user creates a certificate with an external , cert-manager dynamically creates a pod (image=cert-manager-acmesolver) and an ingress in the user-specified namespace in order to handle the http01 challenge from the external CA.

As part of the application-apply of cert-manager at bootstrap time, the cert-manager-acmesolver image has been pulled from an external registry and pushed to registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver:<tag>. However, this repository within registry.local is secured such that only admin can access these images.

The registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver:<tag> image needs to be copied by admin into a public repository, registry.local:9001:/public. If you have not yet set up a public repository, see : Set up a Public Repository in Local Docker Registry <setting-up-a-public-repository>.

  1. Determine the image tag of cert-manager-acmesolver image.

    ~(keystone_admin)]$ system registry-image-tags quay.io/jetstack/cert-manager-acmesolver

  2. Copy the cert-manager-acmesolver image, and replace <TAG> with the tag you want to copy from previous step.

    $ sudo docker login registry.local:9001
username: admin
password: <admin-password>
$
$ sudo docker pull registry.local:9001/quay.io/jetstack/cert-manager-acmesolver:<TAG>
$ sudo docker tag registry.local:9001/quay.io/jetstack/cert-manager-acmesolver:<TAG>  registry.local:9001/public/cert-manager-acmesolver:<TAG>
$ sudo docker push registry.local:9001/public/cert-manager-acmesolver:<TAG>

  3. Update the cert-manager application to use this public image.

    1. Create an overrides file.

      ~(keystone_admin)]$ cat <<EOF > cm-override-values.yaml
acmesolver:
  image:
    repository: registry.local:9001/public/cert-manager-acmesolver
EOF

    2. Apply the overrides.

      ~(keystone_admin)]$ system helm-override-update --values cm-override-values.yaml cert-manager cert-manager cert-manager

    3. Reapply cert-manager.

      ~(keystone_admin)]$ system application-apply cert-manager