The following instructions will setup ingress certs with Lets Encrypt. You have the option of setting up certs before install or update an existing install with the new certs.
At the end of this setup, you and your users will be able to access CF CLI and CF APPs over HTTPS.
certbot cli
brew install certbot. For other linux distros, see instructions on certbot site [1].A and TXT records.[1] On certbot site, the web server and os is irrelevant. You will be generating the certs on your machine, so choose the os that matches your os.
The following instructions assume that the system domain is setup at pm-k8s.dev.relint.rocks and the apps domain is setup at apps.pm-k8s.dev.relint.rocks. You can update the domains accordingly.
export SYS_DOMAIN=pm-k8s.dev.relint.rocks
certbot --server https://acme-v02.api.letsencrypt.org/directory -d "*.$SYS_DOMAIN" --manual \
--preferred-challenges dns-01 certonly \
--work-dir /tmp/certbot/wd --config-dir /tmp/certbot/cfg \
--logs-dir /tmp/certbot/logs
TXTvalue printed by certbot and create a TXT record in your DNS provider.# example of the TXT in your DNS
_acme-challenge.SYS_DOMAIN. TXT kyfxzsAirB79lsk173jkdlamxiryqloy
dig tool in a separate console to verify the TXT is updateddig _acme-challenge.$SYS_DOMAIN TXT
certbot will verify that you own the server and create the necessary files.Let’s now create apps domain certs
export APPS_DOMAIN=apps.pm-k8s.dev.relint.rocks
certbot --server https://acme-v02.api.letsencrypt.org/directory -d "*.$APPS_DOMAIN" --manual \
--preferred-challenges dns-01 certonly \
--work-dir /tmp/certbot/wd --config-dir /tmp/certbot/cfg \
--logs-dir /tmp/certbot/logs
TXTvalue printed by certbot and create a TXT record in your DNS provider.# example of the TXT in your DNS
_acme-challenge.$APPS_DOMAIN. TXT kyfxzsAirB79lsk173jkdlamxiryqloy
The following instructions assume you have created cf-install-values.yml. Please ensure to copy the file contents into the variables as is.
Update system certificate values
Lookup system_certificate in cf-install-values.yml. You should config variables crt, key and ca. Follow the instructions below,
system_certificate:
crt: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$SYS_DOMAIN/fullchain.pem>
key: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$SYS_DOMAIN/privkey.pem>
ca: "" #! replace whatever old value with empty string
Your final output for system_certificate should look something like
system_certificate:
crt: |
-----EXAMPLE CERTIFICATE-----
...
key: |
-----EXAMPLE RSA PRIVATE KEY-----
...
ca: ""
Update apps certificate values
The workloads_certificate has sub-keys crt, key, ca under it.
workloads_certificate:
crt: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$APPS_DOMAIN/fullchain.pem>
key: |
<replace this with the contents of the file /tmp/certbot/cfg/live/$APPS_DOMAIN/privkey.pem>
ca: "" #! replace whatever old value with empty string
Follow the instructions from deploy doc to generate the final deploy yml using ytt and kapp to deploy cf-for-k8s to your cluster.
cf api https://api.$SYS_DOMAIN
Follow instructions in deploy doc to setup your org/spaces and cf push an app (if you haven’t already).
curl -vvv or verify the cert in a browsercurl -vvv https://$APP_NAME.$APPS_DOMAIN
# output should show `SSL certificate verify ok`