Ability to leverage certs via cert-manager

[aegershman]

(Background: using PKS 1.13.6 on vSphere leveraging NSX)

Hey there!

I'd like to leverage cert-manager to manage generating and rotating TLS certs via the letsencrypt issuer rather than manually generating them & having to pass it into to the deployment (via a secret .secrets.yml file or something). This reduces operational overhead and makes our Concourse helm deployment yaml's more declarative.

Having the certs associated to the Ingress resource is doable in this configurable annotation block, which can be configured with something like certmanager.k8s.io/cluster-issuer: letsencrypt-prod (in the default values.yml, an example of kubernetes.io/tls-acme: 'true' is used, which is what cert-manager used to use as it's "activation annotation", apparently.) This can automatically generate and apply a TLS cert for the hostname specified on the Ingress, but, that's only on the Ingress resource.

I'm under the impression we need ATC itself to leverage the cert, which requires setting concourse.web.tls.enabled-- which means the webTlsCert and webTlsKey must be provided as literal values.

With that said:

1. Does using cert-manager/let's-encrypt seem like a reasonable use-case?
2. If so, is there a way the cert values generated via cert-manager on the Ingress could be referenced by webTls?
3. More generally, is there a way for keys to be dynamically generated using some resource within k8s rather than generating them "externally" and providing them?

The goal I had in mind was to reduce "moving parts" involved in managing Concourse via helm, e.g. generating/acquiring certs, storing them in credhub or lastpass, monitoring their expiration, etc.

Thoughts?

thanks for your time 👍

[acherifi]

Hi !
Did you came up with a solution ? I'm struggling with the same thing right now