Create TLS Certificates
Select Cloud Provider
Introduction
In order to be accessible over HTTPS, each Ingress will need to be accompanied by a signed TLS certificate from a trusted Certificate Authority (CA). Certificates can be obtained manually from a CA, or automated with the use of cert-manager. If managing certificates manually, it is necessary to track the expiration date of the certificates, as well as to order and install the replacements. Certificates are generally valid for a year or less.
Manual Process
The process for ordering a certificate varies by CA. The process generally requires creating a Certificate Signing Request (CSR) that is sent to the CA. The CA will typically perform some form of validation to ensure you actually own the domain for which you are requesting a certificate, which may require action on your part. Once the certificate is approved, it will be issued in a text-based file, usually with the .crt extension.
If certificates are manually obtained, they can be saved as Kubernetes Secrets using the following command. Replace the values in all caps with your own values.
kubectl create secret generic SECRET_NAME -n NAMESPACE --from-file=CERTIFICATE.CRT
After that, you can reference the certificate in an Ingress under .spec.tls.[].secretName. Note that the tls key contains a list of items, as Ingresses can support multiple "hosts", so your certificate secret must be referenced in relation to hostnames actually listed in the certificate.
apiVersion: networking.k8s.io/v1
kind: Ingress
...
spec:
...
tls:
- hosts:
- app.pvcy.customer.com
secretName: SECRET_NAME
Manage Certificates with cert-manager
We recommend using cert-manager, as it automates the management of certificates, from initial creation through subsequent renewals. The Privacy Dynamics Installer offers two options related to cert-manager. The first is to install the cert-manager Helm chart, which does not contain any CA-specific configurations. The second is to create a ClusterIssuer, which is where the CA is specified, as well as the automated validation methods (or "challenges"). It is possible to install cert-manager through our Installer and then configure your own ClusterIssuer or Issuer resource.
This guide covers manual setup of all aspects related to certificate management on a Privacy Dynamics cluster. It is intended as a point of reference from which customers can adapt according to their organization's needs. Strictly following this guide as written will result in the same cluster configuration as is available from the Privacy Dynamics Installer. If no variance is needed, we recommend using our corresponding options in the Installer.
Install the cert-manager Helm Chart
Add the repository to Helm on your local machine
helm repo add jetstack https://charts.jetstack.ioDownload and apply the CRDs. This is necessary because of the way the cert-manager Helm chart handles CRDs, which is not recommended for production environments. See the cert-manager documentation for details. The name of the TGZ file as referenced in the example below will change depending on the current version of the cert-manager chart when you run
helm fetch.helm fetch jetstack/cert-mananger tar -xvf cert-manager-v1.14.5.tgz cd cert-manager/templates kubectl apply -f crds.yaml cd ../../ rm -rf cert-manager/ rm cert-manager-v1.14.5.tgz
Install the cert-manager Helm chart
helm install --create-namespace cert-manager \ jetstack/cert-manager \ --namespace cert-manager \ --values cert-manager-values.yaml
Configure the ClusterIssuer or Issuer
As noted in the cert-manager documentation, certificates are managed by ClusterIssuers or Issuers, which contain information about contacting a CA and performing validation challenges. We recommend using a configuration using an Automated Certificate Management Environment (ACME) with a DNS01 challenge.
Refer to Issuer in an Ingress
Once an Issuer or ClusterIssuer is properly configured, an Ingress resource can utilize it to automatically create certificates by referring to it in an annotation, as in the examples below. See the cert-manager documentation for a complete list of possible annotations.
For an
Issuerin the same namespace as theIngressapiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/issuer: "your-issuer" name: example-ingress namespace: example-namespace spec: ...For a
ClusterIssuerapiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: "your-cluster-issuer" name: example-ingress namespace: example-namespace spec: ...