TLS Certificates

Openware deployments support two main ways of issuing and loading TLS certificates: LetsEncrypt ACME(Automated Certificate Management Environment) and pre-provisioned certificates.

ACME

OPEX utilizes cert-manager to connect to LetsEncrypt API and issue certificates. cert-manager uses CRDs(Custom Resource Definition) so that every aspect of the issuing process could be managed using kubectl and Kubernetes API.

All the troubleshooting documentation is gathered here

Pre-provisioned certificates

Existing certificates can be loaded into the cluster as Secrets and Ingresses can be configured to utilize them instead of the ones generated by cert-manager.

The steps to use a pre-provisioned TLS certificate in an Ingress are: 1. Create a TLS Secret using the certificate files in the same namespace as the target Ingress apiVersion: v1 kind: Secret metadata: name: testsecret-tls namespace: default data: tls.crt: base64 encoded cert tls.key: base64 encoded key type: kubernetes.io/tls 2. Configure the TLS section of the Ingress config apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: tls-example-ingress spec: tls: - hosts: - sslexample.foo.com secretName: testsecret-tls rules: - host: sslexample.foo.com http: paths: - path: / backend: serviceName: service1 servicePort: 80 3. Enjoy secure connections to your services over TLS!