logo

TLS Certificates

Openware deployments support two main ways of issuing and loading TLS certificates: LetsEncrypt ACME(Automated Certificate Management Environment) and pre-provisioned certificates.

#ACME

OPEX utilizes cert-manager to connect to LetsEncrypt API and issue certificates. cert-manager uses CRDs(Custom Resource Definition) so that every aspect of the issuing process could be managed using kubectl and Kubernetes API.

All the troubleshooting documentation is gathered here

#Pre-provisioned certificates

Existing certificates can be loaded into the cluster as Secrets and Ingresses can be configured to utilize them instead of the ones generated by cert-manager.

The steps to use a pre-provisioned TLS certificate in an Ingress are:

  1. Create a TLS Secret using the certificate files in the same namespace as the target Ingress
    apiVersion: v1
    kind: Secret
    metadata:
      name: testsecret-tls
      namespace: default
    data:
      tls.crt: base64 encoded cert
      tls.key: base64 encoded key
    type: kubernetes.io/tls
    
  2. Configure the TLS section of the Ingress config
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: tls-example-ingress
    spec:
      tls:
      - hosts:
        - sslexample.foo.com
        secretName: testsecret-tls
      rules:
        - host: sslexample.foo.com
          http:
            paths:
            - path: /
              backend:
                serviceName: service1
                servicePort: 80
    
  3. Enjoy secure connections to your services over TLS!