For users to access the web applications they need to manage Deeploy, you'll need a TLS certificate that covers the following domains (same as you configured in the previous step):
- deeploy.example.com
- api.deeploy.example.com
To obtain a TLS certificate, complete one of the following setups:
- Option 1: Obtain a TLS certificate from Let's Encrypt with Certbot and apply manually.
- Option 2: Configure automatically renewal of TLS certificates using Cert Manager (already installed in step 4)
Option 1
The easiest way to create your certificate is using certbot with Docker:
- Change your Your-local-path in the code snippets below. Note: You don't have to create the
letsencryptfolder in this path, this folder will be created automatically. - Run the snippets for both domains and follow the instructions in the terminal. Note: You will need access to your DNS provider to add a
txtrecord that Let's Encrypt can validate.
deeploy.example.com
docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
*.deeploy.example.com
docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "api.deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
After completing the certificate creation 3 files have been created in the /Your-local-path/letsencrypt1/live/deeploy.example.com/ folder. You will need the fullchain.pem and privkey.pem files.
You can create the deeploy-cert Kubernetes TLS Secret using the code snippet below:
kubectl create secret tls deeploy-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com/privkey.pem \
-n istio-system
You can create the deeploy-wildcard-cert Kubernetes TLS Secret using the code snippet below:
kubectl create secret tls deeploy-api-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/privkey.pem \
-n istion-system
Option 2
Since Cert Manager is already installed, the following steps are needed to configure auto-renewal with DNS01 (see here for the official Cert Manager guide):
- Prepare your DNS01 cluster issuer of choice, e.g. Google CloudDNS. Follow the instructions of Cert Manager.
- Create a ClusterIssuer resource that declares how requests for certificates will be fulfilled. To do so, first create a
clusterissuer.yamlfile with the following values (example with Route53):
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: <your-email>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-issuer-secret-key
solvers:
- selector: {}
dns01:
cloudDNS:
project: <your-google-project>
serviceAccountSecretRef:
name: <sa-name>
key: <key.json>
Create the Cluster:
kubectl apply -f clusterissuer.yaml
- Create a "Certificate" resource that declares the type of certificate you'll request from Let's Encrypt. To do so, first create a
certificate.yamlfile, replacing deeploy.example.com with yours:
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: deeploy-cert namespace: istio-system spec: secretName: deeploy-cert
dnsNames:
- deeploy.example.com issuerRef: name: letsencrypt-prod kind: ClusterIssuer
--- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: deeploy-api-cert
namespace: istio-system
spec:
secretName: deeploy-api-cert
dnsNames:
- api.deeploy.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
Create the Certificate:
kubectl apply -f certificate.yaml
Comments
0 comments
Please sign in to leave a comment.