Skip to content

Commit

Permalink
Add cert-manager docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@kfoozminus
kfoozminus committed Jul 18, 2019
1 parent 39cac5f commit 40cb90f
Show file tree
Hide file tree
Showing 33 changed files with 914 additions and 0 deletions.
35 changes: 35 additions & 0 deletions docs/guides/cert-manager/README.md
View file
@@ -0,0 +1,35 @@
---
title: cert-manager | Voyager
menu:
product_voyager_10.0.0:
identifier: readme-cert-manager
name: Readme
parent: cert-manager-guides
weight: -1
product_name: voyager
menu_name: product_voyager_10.0.0
section_menu_id: guides
url: /products/voyager/10.0.0/guides/cert-manager/
aliases:
- /products/voyager/10.0.0/guides/cert-manager/README/
---

# Guides

Guides show you how to use jetstack/cert-manager to issue free TLS/SSL certificates from Let's Encrypt.

## Features
- Provision free TLS certificates (including wildcard certificates) from Let's Encrypt.
- Manage certificates declaratively using a Kubernetes Custom Resource Definition (CRD).
- Domain validation using ACME http-01 and dns-01 challenges.
- Support for many popular DNS providers.
- Auto Renew certificates.
- Use issued certificates with Ingress to secure communications.

## Next Steps
- [Issue Let's Encrypt certificate using HTTP-01 challenge](/docs/guides/cert-manager/http01_challenge/overview.md)
- DNS-01 challenge providers
- [Issue Let's Encrypt certificate using AWS Route53](/docs/guides/cert-manager/dns01_challenge/aws-route53.md)
- [Issue Let's Encrypt certificate using Azure DNS](/docs/guides/cert-manager/dns01_challenge/azure-dns.md)
- [Issue Let's Encrypt certificate using Google Cloud DNS](/docs/guides/cert-manager/dns01_challenge/google-cloud-dns.md)
- [Multiple Providers](/docs/guides/cert-manager/dns01_challenge/multiple-challenge-solver.md)
10 changes: 10 additions & 0 deletions docs/guides/cert-manager/_index.md
View file
@@ -0,0 +1,10 @@
---
title: cert-manager
menu:
product_voyager_10.0.0:
identifier: cert-manager-guides
name: cert-manager
parent: guides
weight: 200
menu_name: product_voyager_10.0.0
---
11 changes: 11 additions & 0 deletions docs/guides/cert-manager/dns01_challenge/_index.md
View file
@@ -0,0 +1,11 @@
---
title: DNS01 Challenge
description: DNS01 Challenge
menu:
product_voyager_10.0.0:
identifier: dns01-cert-manager
parent: cert-manager-guides
name: DNS01 Challenge
weight: 30
menu_name: product_voyager_10.0.0
---
208 changes: 208 additions & 0 deletions docs/guides/cert-manager/dns01_challenge/aws-route53.md
View file
@@ -0,0 +1,208 @@
---
title: Issue Let's Encrypt certificate using Amazon Route53
description: Issue Let's Encrypt certificate using Amazon Route53 in Kubernetes
menu:
product_voyager_10.0.0:
identifier: amazon-route53-cert-manager
name: Google Cloud DNS
parent: dns01-cert-manager
weight: 15
product_name: voyager
menu_name: product_voyager_10.0.0
section_menu_id: guides
---
> New to Voyager? Please start [here](/docs/concepts/overview.md).
# Issue Let's Encrypt certificate using Amazon Route53

This tutorial shows how to issue free SSL certificate from Let's Encrypt via DNS challenge for domains using Amazon Route53.

This article has been tested with a GKE cluster.

```console
$ kubectl version --short
Client Version: v1.8.8
Server Version: v1.8.8-gke.0
```

## 1. Setup Issuer

Go to IAM page and create a user

![iam](/docs/images/cert-manager/route53/iam.png)

![add-user](/docs/images/cert-manager/route53/add-user.png)

![access-type](/docs/images/cert-manager/route53/access-type.png)

click on next and select `Attach existing policies directly` and click on `Create Policy`
This will take you to a new page
![create-policy](/docs/images/cert-manager/route53/create-policy.png)

Now click on `json` and paste this and click `Review Policy`

```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
```

Name the policy and click `Create policy`
![review-policy](/docs/images/cert-manager/route53/review-policy.png)

Now go back to previous add user page, hit the refresh button and attach this policy to this user:

![attach-policy](/docs/images/cert-manager/route53/attach-policy.png)

Click on next (tags are optional - you can ignore this) and finish the process.
Download the `.csv` file.

![success-user](/docs/images/cert-manager/route53/success-user.png)

Create a secret with the `Secret Access Key`
```
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
```

Copy `Access key ID` from this same page and `hostedZoneID` from the following page:

![hosted-zone-id](/docs/images/cert-manager/route53/hosted-zone-id.png)

And put them in `issuer.yaml`

```
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging-dns
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: example@kite.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- dns01:
route53:
accessKeyID: KIR2WO5YWT
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
hostedZoneID: J13B3AB
```

Then create this issuer by `kubectl apply -f issuer.yaml`


## 2. Create Ingress

We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:
```
kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80
```

Now create Ingress:

```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress-deploy-k8s-route53-dns
namespace: default
annotations:
kubernetes.io/ingress.class: voyager
certmanager.k8s.io/issuer: "letsencrypt-staging-dns"
certmanager.k8s.io/acme-challenge-type: dns01
spec:
tls:
- hosts:
- kiteci-route53-dns.appscode.me
secretName: kiteci-route53-dns-tls
rules:
- host: kiteci-route53-dns.appscode.me
http:
paths:
- backend:
serviceName: web
servicePort: 80
path: /
```

Then take the `EXTERNAL-IP` from the corresponding service and add a A-record in AWS Route53:

```
kubectl get svc
```

```console
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
voyager-test-ingress-deploy-k8s-route53-dns LoadBalancer 10.7.248.189 35.225.111.106 443:30713/TCP,80:31137/TCP 21m
```

![a-record](/docs/images/cert-manager/route53/a-record.png)


## 3. Create Certificate

Then create this `Certificate`

```
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: kiteci-route53-dns
namespace: default
spec:
secretName: kiteci-route53-dns-tls
issuerRef:
name: letsencrypt-staging-dns
dnsNames:
- kiteci-route53-dns.appscode.me
```

List the certificates and describe that certificate and wait until you see `Certificate issued successfully` when you describe the certificate.

```console
kubectl get certificates.certmanager.k8s.io --all-namespaces
```
```
default kiteci-route53-dns True kiteci-route53-dns-tls 1m
```

```
kubectl describe certificates.certmanager.k8s.io kiteci-route53-dns
```
```
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 6s cert-manager Generated new private key
Normal GenerateSelfSigned 6s cert-manager Generated temporary self signed certificate
Normal OrderCreated 6s cert-manager Created Order resource "kiteci-route53-dns-290497833"
Normal OrderComplete 5s cert-manager Order "kiteci-route53-dns-290497833" completed successfully
Normal CertIssued 5s cert-manager Certificate issued successfully
```

Then visit `kiteci-route53-dns.appscode.me` from browser and check the certificate that it was issued from let's encrypt. (For let's encrypt staging environment, you will see that the certificate was issued by `Fake LE Intermediate X1`.)

0 comments on commit 40cb90f

Please sign in to comment.