The following instructions will setup ingress certs with Lets Encrypt. You have the option of setting up certs before install or update an existing install with the new certs.
At the end of this setup, you and your users will be able to access CF CLI and CF APPs over HTTPS.
certbot
cli
brew install certbot
. For other linux distros, see instructions on certbot site [1].A
and TXT
records.[1] On certbot
site, the web server and os is irrelevant. You will be generating the certs on your machine, so choose the os that matches your os.
The following instructions assume that the system domain is setup at pm-k8s.dev.relint.rocks
and the apps domain is setup at apps.pm-k8s.dev.relint.rocks
. You can update the domains accordingly.
export SYS_DOMAIN=pm-k8s.dev.relint.rocks
certbot --server https://acme-v02.api.letsencrypt.org/directory -d "*.$SYS_DOMAIN" --manual \
--preferred-challenges dns-01 certonly \
--work-dir /tmp/certbot/wd --config-dir /tmp/certbot/cfg \
--logs-dir /tmp/certbot/logs
TXT
value printed by certbot and create a TXT record in your DNS provider.# example of the TXT in your DNS
_acme-challenge.SYS_DOMAIN. TXT kyfxzsAirB79lsk173jkdlamxiryqloy
dig
tool in a separate console to verify the TXT is updateddig _acme-challenge.$SYS_DOMAIN TXT
certbot
will verify that you own the server and create the necessary files.Let’s now create apps domain certs
export APPS_DOMAIN=apps.pm-k8s.dev.relint.rocks
certbot --server https://acme-v02.api.letsencrypt.org/directory -d "*.$APPS_DOMAIN" --manual \
--preferred-challenges dns-01 certonly \
--work-dir /tmp/certbot/wd --config-dir /tmp/certbot/cfg \
--logs-dir /tmp/certbot/logs
TXT
value printed by certbot and create a TXT record in your DNS provider.# example of the TXT in your DNS
_acme-challenge.$APPS_DOMAIN. TXT kyfxzsAirB79lsk173jkdlamxiryqloy
The following instructions assume you have created cf-install-values.yml
. Please ensure to copy the file contents into the variables as is.
Update system certificate values
Lookup system_certificate
in cf-install-values.yml
. You should config variables crt
, key
and ca
. Follow the instructions below,
system_certificate:
crt: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$SYS_DOMAIN/fullchain.pem>
key: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$SYS_DOMAIN/privkey.pem>
ca: "" #! replace whatever old value with empty string
Your final output for system_certificate
should look something like
system_certificate:
crt: |
-----EXAMPLE CERTIFICATE-----
...
key: |
-----EXAMPLE RSA PRIVATE KEY-----
...
ca: ""
Update apps certificate values
The workloads_certificate
has sub-keys crt
, key
, ca
under it.
workloads_certificate:
crt: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$APPS_DOMAIN/fullchain.pem>
key: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$APPS_DOMAIN/privkey.pem>
ca: "" #! replace whatever old value with empty string
Follow the instructions from deploy doc to generate the final deploy yml using ytt
and kapp
to deploy cf-for-k8s to your cluster.
cf api https://api.$SYS_DOMAIN
Follow instructions in deploy doc to setup your org/spaces and cf push an app (if you haven’t already).
curl -vvv
or verify the cert in a browsercurl -vvv https://$APP_NAME.$APPS_DOMAIN
# output should show `SSL certificate verify ok`