Use cert-manager with Let's Encrypt to enable TLS for gcsweb #182
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
size/XL
ixdy
force-pushed
the
letsencrypt-gcsweb
branch
from
fdb5131
to
0700938
Compare
|
To bootstrap cert-manager components (per the cert-manager docs): cd cert-manager/
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
kubectl apply -f cert-manager.yaml --validate=false
kubectl apply -f letsencrypt-staging.yaml
kubectl apply -f letsencrypt-prod.yamlThen create the cd gcsweb.k8s.io/
kubectl apply -f certificate.yaml
kubectl apply -f ingress.yamlSubsequent migrations (spartakus, redirector, etc) only need the latter steps (creating a |
ixdy
force-pushed
the
letsencrypt-gcsweb
branch
from
0700938
to
23a981a
Compare
k8s-ci-robot
added
size/XXL
ixdy
force-pushed
the
letsencrypt-gcsweb
branch
from
23a981a
to
bdbb3c7
Compare
|
Awesome to see, and this lgtm 😄 One thing to note - we've identified an issue with certificate rotation in the webhook component, which could leave the webhook solving with old certificates when renewal times comes along. More details here: cert-manager/cert-manager#1340 The certificate duration here is configured to be 1y for the serving cert, and 5y for the CA used. Just a heads up to upgrade to v0.7 once that is released some time in the next year, or otherwise {somehow remember} to restart your webhook pod in ~8mths time (we renew 4m before expiry). If you want to keep an eye on the expiry state of your certificates, we also expose expiry time prometheus metrics. You might want to set up prometheus/alertmanager/stackdriver or the like, to automatically alert you if a certificate is nearing expiry 😄 |
ixdy
force-pushed
the
letsencrypt-gcsweb
branch
from
bc33908
to
bb51549
Compare
k8s-ci-robot
added
size/XL
cert-manager/README.md
Outdated
| @@ -0,0 +1,12 @@ | |||
| To bootstrap (per the [cert-manager getting started | |||
| guide](https://cert-manager.readthedocs.io/en/latest/getting-started/install.html#installing-with-regular-manifests)): | |||
There was a problem hiding this comment.
nit: may want to pin latest to release-0.6?
cert-manager/README.md
Outdated
|
|
||
| ``` | ||
| kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account) | ||
| kubectl apply -f cert-manager.yaml --validate=false |
There was a problem hiding this comment.
nit: possibly add a note mentioning that --validate=false can go away with k8s 1.13+
| @@ -7,6 +7,8 @@ metadata: | |||
| annotations: | |||
| kubernetes.io/ingress.global-static-ip-name: gcsweb-k8s-io | |||
| spec: | |||
| tls: | |||
| - secretName: gcsweb-k8s-io-tls | |||
There was a problem hiding this comment.
Due to an issue with the way cert-manager obtains certificates from LE (we generate and store a private key before the corresponding certificate has been obtained from Let's Encrypt) (more info: cert-manager/cert-manager#1343) - if you add this field here when no Secret resource already exists, the ingress-gce ingress controller will fail to actually update the GCP API with the load balancer configuration.
Because of this, you must instead create the Certificate resource and obtain the certificate before updating the ingress resource to reference that secret.
We'll be building a workaround into v0.7 which is due in ~1.5wks (most likely, pre-generating a self-signed certificate which can be used in the interim whilst CM is obtaining a publicly trusted certificate).
What this means, is that in order to deploy this the first time, you'll need to apply these changes after creating all the other resources in this PR 😄
There was a problem hiding this comment.
I think I discovered this, but I appreciate the clarification. I added a note to our README as well.
There was a problem hiding this comment.
I've got a fix in progress that will be landing in v0.7 here: cert-manager/cert-manager#1392 😄
ixdy
force-pushed
the
letsencrypt-gcsweb
branch
from
bb51549
to
9ff1832
Compare
|
/approve For followup, I feel like we should have a cert-manager/OWNERS file so this doesn't have to hit root OWNERS |
k8s-ci-robot
added
do-not-merge/hold
|
good point re: |
|
Taking another look, this all looks 👍 to me (although sods law states ...) I'll add my lgtm, but defer a
I'd be happy to put my name forward to be pinged for reviews etc. on this 😄 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
|
added |
|
I am OK with this, but defer actual review to you folks. I will approve but not remove he hold. At your leisure. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: spiffxp, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
this needs one more |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
The first commit is basically following the cert-manager setup guide and installing
ClusterIssuersfor the staging and prod Let's Encrypt endpoints.The second commit then uses this setup to obtain a certificate for gcsweb and install it in the new Ingress.
I haven't deployed any of this to the real cluster, but I've tested a version of it on my own deployment and cluster: http://gcsweb.ixdyland.net/gcs/kubernetes-jenkins/
Fixes #38
(and paves the way to using this for spartakus and the k8s.io redirectors)
/assign @thockin @hh
cc @munnerz