TLS Certificates
Openware deployments support two main ways of issuing and loading TLS certificates: LetsEncrypt ACME(Automated Certificate Management Environment) and pre-provisioned certificates.
ACME
OPEX utilizes cert-manager to connect to LetsEncrypt API and issue certificates.
cert-manager
uses CRDs(Custom Resource Definition) so that every aspect of the issuing process could be managed using kubectl
and Kubernetes API.
All the troubleshooting documentation is gathered here
Pre-provisioned certificates
Existing certificates can be loaded into the cluster as Secrets and Ingresses can be configured to utilize them instead of the ones generated by cert-manager
.
The steps to use a pre-provisioned TLS certificate in an Ingress are:
1. Create a TLS Secret using the certificate files in the same namespace as the target Ingress
apiVersion: v1
kind: Secret
metadata:
name: testsecret-tls
namespace: default
data:
tls.crt: base64 encoded cert
tls.key: base64 encoded key
type: kubernetes.io/tls
2. Configure the TLS section of the Ingress config
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: tls-example-ingress
spec:
tls:
- hosts:
- sslexample.foo.com
secretName: testsecret-tls
rules:
- host: sslexample.foo.com
http:
paths:
- path: /
backend:
serviceName: service1
servicePort: 80
3. Enjoy secure connections to your services over TLS!