I want to use an automatically-generated certificate with ACME and require basic configuration*
I want to use an automatically-generated certificate with ACME and require basic configuration*
When you enable ACME, by default DKP generates an ACME-supported certificate with an HTTP01 solver. The cert-manager automatically issues a trusted certificate for the configured custom domain, and takes care of renewing the certificate before expiration.
Open the Kommander Installer Configuration File or <kommander.yaml> file:
If you do not have the <kommander.yaml> file, initialize the configuration file, so you can edit it in the following steps. WARNING: Initialize this file only ONE time, otherwise you will overwrite previous customizations.
If you have initialized the configuration file already, open the <kommander.yaml> with the editor of your choice.
In that file, configure the custom domain for your cluster:
Enable ACME by adding acme value, the issuer's server and your e-mail. If you don’t provide a server, DKP sets up Let's Encrypt as your certificate provider:
*basic configuration: ACME server without EAB (External Account Bindings) and HTTP solver
I want to use an automatically-generated certificate with ACME and require advanced configuration (e.g. EAB, DNS solver, etc.)
I want to use an automatically-generated certificate with ACME and require advanced configuration
If you require additional configuration options like DNS solver, EAB, among others, create a ClusterIssuer with the required configurations before you run the installation of Kommander. The cert-manager automatically issues a trusted certificate for the configured custom domain, and takes care of renewing the certificate before expiration.
Create a ClusterIssuer and store it in the target cluster. It must be called kommander-acme-issuer:
If you require an HTTP solver, adapt the following example with the properties required for your certificate and execute the command:
CODE
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: kommander-acme-issuer # This part is important
spec:
acme:
email: <your_email>
server: <https://acme.server.example>
skipTLSVerify: true
privateKeySecretRef:
name: kommander-acme-issuer-account # Set this to <name>-account
solvers:
- http01:
ingress:
ingressTemplate:
metadata:
annotations:
kubernetes.io/ingress.class: kommander-traefik
"traefik.ingress.kubernetes.io/router.priority": "2147483647"
EOF
The values kommander-acme-issuer, kommander-acme-issuer-account and "traefik.ingress.kubernetes.io/router.priority": "2147483647" are not placeholders and MUST be filled out exactly as in the example. In on-premise environments, replace the annotation in the previous example with traefik.ingress.kubernetes.io/router.tls: "true".
If you require a DNS solver, adapt the following example with the properties required for your certificate and execute the command:
CODE
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: kommander-acme-issuer # This part is important
spec:
acme:
email: <your_email>
server: <https://acme.server.example>
privateKeySecretRef:
name: kommander-acme-issuer-account # Set this to <name>-account
solvers:
- dns01:
route53:
region: us-east-1
role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager
EOF
The values kommander-acme-issuer, kommander-acme-issuer-account are not placeholders and MUST be filled out exactly as in the example.
Optional: Create a DNS record, by setting up the external-dns service. This way, the external-dns will take care of pointing the DNS record to the ingress of the cluster automatically. You can also create a DNS record manually, that maps your domain name or IP address to the cluster ingress. If you choose to create a DNS record manually, finish installing the Kommander component, and then manually create a DNS record that points to the load balancer address.
Open the Kommander Installer Configuration File or kommander.yaml file:
If you do not have the kommander.yaml file, initialize the configuration file, so you can edit it in the following steps. WARNING: Initialize this file only ONCE, otherwise you will overwrite previous customizations.
If you have initialized the configuration file already, open the kommander.yaml with the editor of your choice.
In that file, configure the cluster to use your custom domain:
D2iQ supports the use of a manually-created certificate. In this case, there is no certificate controller that handles the renewal and update of your certificate automatically, so you will have to take care of these tasks manually.
Prerequisites:
Obtain the PEM files of your certificate and store them in the target cluster’s namespace:
Certificate
certificate’s private key
CA bundle (containing the root and intermediate certificates)
Configure the manually-generated certificate
Open the Kommander Installer Configuration File or <kommander.yaml> file:
If you do not have the <kommander.yaml> file, initialize the configuration file, so you can edit it in the following steps. WARNING: Initialize this file only ONCE, otherwise you will overwrite previous customizations.
If you have initialized the configuration file already, open the <kommander.yaml> with the editor of your choice.
In the Kommander Installer Configuration file, provide your custom domain and the paths to the PEM files of your certificate:
You can also configure a certificate issued by another Certificate Authority. In this case, the CA will determine which information to include in the configuration.