In order for users to access the web applications they need to manage Deeploy, you'll need a TLS certificate that covers the following domains (same as you configured in the previous step):
deeploy.example.comapi.deeploy.example.com
To obtain a TLS certificate, complete one of the following setups:
- Option 1: Obtain a TLS certificate from
Let's Encryptwith Certbot and apply manually. - Option 2: Configure automatic renewal of TLS certificates using Cert Manager (already installed in step 4)
Option 1
The easiest way to create your certificate is using Certbot with Docker:
- Change your
your-local-pathin the code snippets below. Note: You don't have to create thelet's encryptfolder in this path, this folder will be created automatically. - Run the snippets for both domains and follow the instructions in the terminal. Note: You'll need access to your DNS provider in order to add a
TXTrecord thatLet's Encryptcan validate.
deeploy.example.com
docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
api.deeploy.example.com
docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "api.deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
After completing the certificate creation 3 files have been created in the /Your-local-path/letsencrypt1/live/deeploy.example.com/ folder. You will need the fullchain.pem and privkey.pem files.
You can create the deeploy-cert Kubernetes TLS Secret using the code snippet below:
kubectl create secret tls deeploy-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com/privkey.pem \
-n istio-system
You can create the deeploy-api-cert Kubernetes TLS Secret using the code snippet below:
kubectl create secret tls deeploy-api-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/privkey.pem \
-n istion-system
Option 2
Since Cert Manager is already installed, the following steps are needed to configure auto renewal with DNS01 (see here for the official Cert Manager guide):
- Prepare your DNS01 cluster issuer of choice, e.g. AWS Route 53. Follow the instructions by Cert Manager.
- Create a
ClusterIssuerresource that declares how requests for certificates will be fulfilled. To do so, first create aclusterissuer.yamlfile with the following values (example with Route53):
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: <your-email>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-issuer-secret-key
solvers:
- selector: {}
dns01:
route53:
region: <your-aws-region>
Create the Cluster:
kubectl apply -f clusterissuer.yaml
- Create a "Certificate" resource that declares the type of certificate you'll request from Let's Encrypt. To do so, first create a
certificate.yamlfile, replacingdeeploy.example.comwith yours:
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: deeploy-cert namespace: istio-system spec: secretName: deeploy-cert
dnsNames:
- deeploy.example.com issuerRef: name: letsencrypt-prod kind: ClusterIssuer
--- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: deeploy-api-cert
namespace: istio-system
spec:
secretName: deeploy-api-cert
dnsNames:
- api.deeploy.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
Create the Certificate:
kubectl apply -f certificate.yaml
Comments
0 comments
Please sign in to leave a comment.