diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e14f140..aa5b0df4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [v0.7.1] - Unreleased + +### Breaking Changes +- Remove hard-coded cert-manager configuration from ingress template [#227](https://github.com/developmentseed/eoapi-k8s/pull/227) + +### Changed +- Simplify TLS configuration to allow user-controlled certificate management [#227](https://github.com/developmentseed/eoapi-k8s/pull/227) +- Update documentation with comprehensive cert-manager setup guide [#227](https://github.com/developmentseed/eoapi-k8s/pull/227) + ## [v0.7.0] - 2025-04-30 ### Breaking Changes diff --git a/docs/unified-ingress.md b/docs/unified-ingress.md index f287e704..77157ddc 100644 --- a/docs/unified-ingress.md +++ b/docs/unified-ingress.md @@ -34,9 +34,6 @@ ingress: tls: enabled: false secretName: eoapi-tls - certManager: false - certManagerIssuer: letsencrypt-prod - certManagerEmail: "" ``` ## Controller-Specific Configurations @@ -89,6 +86,77 @@ ingress: secretName: eoapi-tls ``` +## Setting up TLS with cert-manager + +[cert-manager](https://cert-manager.io) can be used to automatically obtain and manage TLS certificates. Here's how to set it up with Let's Encrypt: + +1. First, install cert-manager in your cluster: +```bash +helm repo add jetstack https://charts.jetstack.io +helm repo update +helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --set installCRDs=true +``` + +2. Create a ClusterIssuer for Let's Encrypt (staging first for testing): +```yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # Use Let's Encrypt staging environment first + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: your-email@example.com + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: nginx # or traefik, depending on your setup +``` + +3. After testing with staging, create the production issuer: +```yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: your-email@example.com + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx # or traefik, depending on your setup +``` + +4. Configure your eoAPI ingress to use cert-manager: +```yaml +ingress: + enabled: true + className: "nginx" # or "traefik" + host: "eoapi.example.com" + annotations: + # Add cert-manager annotations + cert-manager.io/cluster-issuer: "letsencrypt-prod" + tls: + enabled: true + secretName: eoapi-tls # cert-manager will create this secret +``` + +The certificate will be automatically obtained and renewed by cert-manager. The process typically takes a few minutes. You can check the certificate status with: +```bash +kubectl get certificate +``` + ## Migration If you're migrating from a version 0.6.0 or earlier, follow these guidelines: diff --git a/helm-chart/eoapi/.helmignore b/helm-chart/eoapi/.helmignore index faeb926b..ffdee0c3 100644 --- a/helm-chart/eoapi/.helmignore +++ b/helm-chart/eoapi/.helmignore @@ -22,3 +22,6 @@ *.tmproj .vscode/ tests/ + +# Documentation files in templates +templates/*/*.md diff --git a/helm-chart/eoapi/templates/services/ingress.yaml b/helm-chart/eoapi/templates/services/ingress.yaml index 04bff69b..3ddfa596 100644 --- a/helm-chart/eoapi/templates/services/ingress.yaml +++ b/helm-chart/eoapi/templates/services/ingress.yaml @@ -20,9 +20,6 @@ metadata: traefik.ingress.kubernetes.io/router.entrypoints: web traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-strip-prefix-middleware-{{ $.Release.Name }}@kubernetescrd {{- end }} - {{- if and .Values.ingress.tls.enabled .Values.ingress.tls.certManager .Values.ingress.tls.certManagerIssuer }} - cert-manager.io/issuer: {{ .Values.ingress.tls.certManagerIssuer }} - {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} diff --git a/helm-chart/eoapi/values.yaml b/helm-chart/eoapi/values.yaml index 9e0514d7..96ef7c8e 100644 --- a/helm-chart/eoapi/values.yaml +++ b/helm-chart/eoapi/values.yaml @@ -55,9 +55,6 @@ ingress: tls: enabled: false secretName: eoapi-tls - certManager: false - certManagerIssuer: letsencrypt-prod - certManagerEmail: "" ###################### # DATABASE