-
Notifications
You must be signed in to change notification settings - Fork 153
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
revert cert manager changes to be worked in a future pr
- Loading branch information
Showing
2 changed files
with
110 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -41,92 +41,9 @@ helm release should look like: | |
| enabled: true | ||
| ... other parameters specific to the ingress type ... | ||
| ``` | ||
| ## cert-manager | ||
|
|
||
| You can install [cert-manager](https://cert-manager.io/) to issue and automatically manage certificates in Kubernetes and OpenShift clusters, and to request a `Certificate` in | ||
| the `flux-system` namespace. cert-manager is a CNCF project. | ||
|
|
||
| ### Install cert-manager | ||
|
|
||
| As cert-manager can be installed using a [Helm Chart](https://cert-manager.io/docs/installation/helm/), we can | ||
| simply create a `HelmRepository` and a `HelmRelease` to have Flux install everything. | ||
|
|
||
| Commit the following to a location being reconciled by Flux. | ||
|
|
||
| <details><summary>Expand to see manifest contents</summary> | ||
|
|
||
| ```yaml | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: cert-manager | ||
| --- | ||
| apiVersion: source.toolkit.fluxcd.io/v1beta1 | ||
| kind: HelmRepository | ||
| metadata: | ||
| name: cert-manager | ||
| namespace: cert-manager | ||
| spec: | ||
| interval: 1h | ||
| url: https://charts.jetstack.io | ||
| --- | ||
| apiVersion: helm.toolkit.fluxcd.io/v2beta1 | ||
| kind: HelmRelease | ||
| metadata: | ||
| name: cert-manager | ||
| namespace: cert-manager | ||
| spec: | ||
| interval: 5m | ||
| chart: | ||
| spec: | ||
| chart: cert-manager | ||
| version: 1.8.0 | ||
| sourceRef: | ||
| kind: HelmRepository | ||
| name: cert-manager | ||
| namespace: cert-manager | ||
| interval: 1m | ||
| values: | ||
| installCRDs: true | ||
| ``` | ||
| </details> | ||
| :::note cert-manager version | ||
| At time of writing, cert manager v1.8.0 was the latest available release and a newer version may exist, please | ||
| ensure to check <https://github.com/cert-manager/cert-manager/tags> for updates. | ||
| ::: | ||
| Now that `cert-manager` is running, we can create a `ClusterIssuer` to represent the certificate authority | ||
| from which we will obtain signed certificates, in this example we are using Let's Encrypt. After changing | ||
| the email address, commit this to the same location as above. | ||
|
|
||
| <details><summary>Expand to see manifest contents</summary> | ||
|
|
||
| ```yaml | ||
| --- | ||
| apiVersion: cert-manager.io/v1 | ||
| kind: ClusterIssuer | ||
| metadata: | ||
| name: letsencrypt-prod | ||
| spec: | ||
| acme: | ||
| # You must replace this email address with your own. | ||
| # Let's Encrypt will use this to contact you about expiring | ||
| # certificates, and issues related to your account. | ||
| email: [email protected] | ||
| server: https://acme-v02.api.letsencrypt.org/directory | ||
| privateKeySecretRef: | ||
| # Secret resource that will be used to store the account's private key. | ||
| name: letsencrypt-prod-account-key | ||
| solvers: | ||
| # Add a single challenge solver, HTTP01 using nginx | ||
| - http01: | ||
| ingress: | ||
| class: nginx | ||
| ``` | ||
|
|
||
| </details> | ||
| ## cert-manager | ||
|
|
||
| Once this `ClusterIssuer` resource is installed, the cluster is now configured to request and use certificates generated by cert-manager. | ||
| Install [cert-manager](../guides/cert-manager.md) and request a `Certificate` in | ||
| the `flux-system` namespace. Provide the name of secret associated with the | ||
| certificate to the weave-gitops-enterprise HelmRelease as described above. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| --- | ||
| title: Generating TLS certificates with cert-manager and Let's Encrypt | ||
| --- | ||
|
|
||
| This guide shows you how to add cert-manager to a cluster bootstrapped with Weave GitOps, and how | ||
| to configure the use of [Let's Encrypt](https://letsencrypt.org/) to issue TLS certificates. | ||
|
|
||
| ### Prerequisites | ||
|
|
||
| - A Kubernetes cluster such as [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/), running a | ||
| [Flux-supported version of Kubernetes](https://fluxcd.io/docs/installation/#prerequisites) | ||
| - Weave GitOps is [installed](../open-source/getting-started/install-OSS.mdx). | ||
|
|
||
| ## What Is cert-manager? | ||
|
|
||
| [cert-manager](https://cert-manager.io/), a CNCF project, provides a way to automatically manage certificates | ||
| in Kubernetes and OpenShift clusters. "It will obtain certificates from a variety of Issuers, both popular public | ||
| Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to | ||
| renew certificates at a configured time before expiry." | ||
|
|
||
| ## Install cert-manager | ||
|
|
||
| As cert-manager can be installed using a [Helm Chart](https://cert-manager.io/docs/installation/helm/), we can | ||
| simply create a `HelmRepository` and a `HelmRelease` to have Flux install everything. | ||
|
|
||
| Commit the following to a location being reconciled by Flux. | ||
|
|
||
| <details><summary>Expand to see manifest contents</summary> | ||
|
|
||
| ```yaml | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: cert-manager | ||
| --- | ||
| apiVersion: source.toolkit.fluxcd.io/v1beta1 | ||
| kind: HelmRepository | ||
| metadata: | ||
| name: cert-manager | ||
| namespace: cert-manager | ||
| spec: | ||
| interval: 1h | ||
| url: https://charts.jetstack.io | ||
| --- | ||
| apiVersion: helm.toolkit.fluxcd.io/v2beta1 | ||
| kind: HelmRelease | ||
| metadata: | ||
| name: cert-manager | ||
| namespace: cert-manager | ||
| spec: | ||
| interval: 5m | ||
| chart: | ||
| spec: | ||
| chart: cert-manager | ||
| version: 1.8.0 | ||
| sourceRef: | ||
| kind: HelmRepository | ||
| name: cert-manager | ||
| namespace: cert-manager | ||
| interval: 1m | ||
| values: | ||
| installCRDs: true | ||
| ``` | ||
| </details> | ||
| :::note cert-manager version | ||
| At time of writing, cert manager v1.8.0 was the latest available release and a newer version may exist, please | ||
| ensure to check <https://github.com/cert-manager/cert-manager/tags> for updates. | ||
| ::: | ||
| Now that `cert-manager` is running, we can create a `ClusterIssuer` to represent the certificate authority | ||
| from which we will obtain signed certificates, in this example we are using Let's Encrypt. After changing | ||
| the email address, commit this to the same location as above. | ||
|
|
||
| <details><summary>Expand to see manifest contents</summary> | ||
|
|
||
| ```yaml | ||
| --- | ||
| apiVersion: cert-manager.io/v1 | ||
| kind: ClusterIssuer | ||
| metadata: | ||
| name: letsencrypt-prod | ||
| spec: | ||
| acme: | ||
| # You must replace this email address with your own. | ||
| # Let's Encrypt will use this to contact you about expiring | ||
| # certificates, and issues related to your account. | ||
| email: [email protected] | ||
| server: https://acme-v02.api.letsencrypt.org/directory | ||
| privateKeySecretRef: | ||
| # Secret resource that will be used to store the account's private key. | ||
| name: letsencrypt-prod-account-key | ||
| solvers: | ||
| # Add a single challenge solver, HTTP01 using nginx | ||
| - http01: | ||
| ingress: | ||
| class: nginx | ||
| ``` | ||
|
|
||
| </details> | ||
|
|
||
| Once this `ClusterIssuer` resource is installed, the cluster is now configured to request and use certificates generated by cert-manager. | ||
|
|
||
| This could be manually requested through the creation of a [Certificate resource](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) or configured to be automatic, as shown in our [Configuring OIDC with Dex and GitHub](./setting-up-dex.md) guide. |