124 lines
2.8 KiB
Markdown
124 lines
2.8 KiB
Markdown
# ClusterIssuer
|
|
|
|
Allows certificate requests from an ACME provider. This is used to enable HTTPS TLS for services you stand up.
|
|
|
|
## Setup
|
|
|
|
see [cert-manager kubectl install](https://cert-manager.io/docs/installation/kubectl/) for more info
|
|
|
|
=== "v1.18"
|
|
|
|
``` bash
|
|
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.0/cert-manager.yaml
|
|
```
|
|
|
|
create at least one of the `clusterissuers` types below
|
|
|
|
### External
|
|
|
|
uses LetsEncrypt and public DNS records to sign https for your sites
|
|
|
|
``` yaml title="letsencrypt/clusterissuer.yml"
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: letsencrypt-prod
|
|
namespace: default
|
|
spec:
|
|
acme:
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
email: ${EMAIL}
|
|
privateKeySecretRef:
|
|
name: letsencrypt-prod
|
|
solvers:
|
|
- selector: {}
|
|
http01:
|
|
ingress:
|
|
class: traefik
|
|
```
|
|
|
|
### Internal
|
|
|
|
pointed at an internal ACME provider to generate certs for an intranet
|
|
|
|
``` yaml title="internal/clusterissuer.yml"
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: internal-issuer
|
|
spec:
|
|
acme:
|
|
email: ${EMAIL}
|
|
server: ${ACME_URL}
|
|
privateKeySecretRef:
|
|
name: interal-issuer-account-key
|
|
caBundle: ${CA_BUNDLE_BASE64} # ca bundle that was used to generate the tls cert for the acme site
|
|
solvers:
|
|
- selector: {}
|
|
http01:
|
|
ingress:
|
|
class: traefik
|
|
```
|
|
|
|
## Certificate
|
|
|
|
### Example
|
|
|
|
create a `certificate.yml` file for a traefik `IngressRoute`
|
|
|
|
=== "Certificate"
|
|
|
|
``` yaml
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: io-rsk-docs-tls
|
|
spec:
|
|
secretName: io-rsk-docs-tls
|
|
issuerRef:
|
|
name: dev-step-issuer
|
|
kind: ClusterIssuer
|
|
commonName: docs.dev.rsk.io
|
|
dnsNames:
|
|
- docs.dev.rsk.io
|
|
privateKey:
|
|
algorithm: RSA
|
|
encoding: PKCS1
|
|
size: 2048
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
duration: 2160h # 90 days
|
|
renewBefore: 360h # 15 days
|
|
secretTemplate:
|
|
annotations:
|
|
kubeseal-secret: "true"
|
|
labels:
|
|
domain: docs-dev-rsk-io
|
|
```
|
|
|
|
=== "IngressRoute"
|
|
|
|
``` yaml
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: rskio-docs
|
|
spec:
|
|
entryPoints:
|
|
- web
|
|
- websecure
|
|
routes:
|
|
- match: Host(`docs.dev.rsk.io`)
|
|
kind: Rule
|
|
services:
|
|
- name: rskio-docs
|
|
port: 80
|
|
tls:
|
|
secretName: io-rsk-docs-tls
|
|
```
|
|
|
|
After applying this `Certifcate` a `Secret` is created containing the `.crt` and `.key` files.
|
|
These are loaded by the traefik.io `IngressRoute` under `spec.tls.secretName`.
|
|
This enables usage of the tls cert for https client reachability.
|