starlingx/docs
Code Issues Proposed changes
docs/doc/source/usertasks/kubernetes/letsencrypt-example.rst
Elisamara Aoki Goncalves 99b62b3308 Doc improvements in Certificate Management 
Fixed text formatting issues.

Fixed title, added reference and added subheading to page.

Removed extra space in code-block.

Created new topics properly and fixed acronyms and formatting issues.

Fixed code-block issues.

Added extra bullet in External CA and Ingress Controller Example.

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I8923a91745f41e75a09c1642776cf6d0275f31f3
2021-10-22 11:15:21 -03:00

4.3 KiB
Raw Blame History

External CA and Ingress Controller Example

This section describes how to configure an application to use Ingress Controller to both expose its -based service and to use an External for signing CERTIFICATEs.

NOTE that alternatively an Internal could be used with an Ingress Controller -based solution as well.

This example requires that:

  • The LetsEncrypt in the public internet can send an http01 challenge to the of the 's floating IP Address.
  • The has access to the kuard demo application at gcr.io/kuar-demo/kuard-amd64:blue
  • Ensure that your administrator has shared the local registrys public repositorys credentials/secret with the namespace where you will create certificates. This will allow you to leverage the registry.local:9001/public/cert-manager-acmesolver image. See Set up a Public Repository in Local Docker Registry <setting-up-a-public-repository>.
  • Ensure that your administrator has enabled use of the cert-manager apiGroups in your policies.
  • Ensure that your administrator has opened port 80 and 443 in GlobalNetworkPolicy.

  1. Create a LetsEncrypt ISSUER in the default namespace by applying the following manifest file.

    apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: dave.user@hotmail.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

  2. Create a deployment of the kuard demo application (https://github.com/kubernetes-up-and-running/kuard) with an INGRESS using cert-manager by applying the following manifest file:

    Where both starlingx.mycompany.com and kuard.starlingx.mycompany.com are that map to the Floating IP of .

    (You should substitute these for for the installation.)

    apiVersion: apps/v1 kind: Deployment metadata: name: kuard spec: replicas: 1 selector: matchLabels: app: kuard template: metadata: labels: app: kuard spec: containers: - name: kuard image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always ports: - containerPort: 8080 protocol: TCP ---apiVersion: v1 kind: Service metadata: name: kuard labels: app: kuard spec: ports: - port: 80 targetPort: 8080 protocol: TCP selector: app: kuard ---apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx cert-manager.io/issuer: "letsencrypt-prod" name: kuard spec: tls: - hosts: - kuard.starlingx.mycompany.com secretName: kuard-ingress-tls rules: - host: kuard.starlingx.mycompany.com http: paths: - backend: serviceName: kuard servicePort: 80 path: /

  3. Access the kuard demo from your browser to inspect and verify that the certificate is signed by LetsEncrypt . For this example, the URL would be https://kuard.starlingx.mycompany.com.