Skip to content

Configuring cert‐manger

gpfrancis edited this page Feb 2, 2024 · 10 revisions

cert-manager automates the process of creating and renewing TLS certificates. The Phalanx documentation for configuring cert-manager is here. For our configuration one minor change is required since we are using AWS Route53 to host only the tls subdomains and not lsst.ac.uk itself.

Configuration checklist

We'll assume that the RSP being deployed is going to be hosted at myrsp.lsst.ac.uk, obviously replace "myrsp" in the following with whatever the correct name is.

DNS configuration

  1. Create a new hosted zone named tls.myrsp.lsst.ac.uk in Route 53. Make a note of its zone ID.
  2. Add an NS glue record for tls.myrsp.lsst.ac.uk to the lsst.ac.uk zone in DDI. (This is slightly different to the Phalanx documentation.)

Screenshot showing editing an NS record in DDI

Example of an NS record in DDI (get the value to use for the DNS server from the NS records in the Route53 zone).

  1. In DDI, create a CNAME from _acme-challenge.myrsp.lsst.ac.uk to _acme-challenge.tls.myrsp.lsst.ac.uk
  2. Create a new IAM user and attach an inline IAM policy as per the Phalanx documentation.
  3. Create an access key for that user. Make a note of the access key and secret key pair.

Values files

  1. In environments/values-myrsp.yaml, applications.cert-manager and applications.squareone must be set to true.
  2. applications/cert-manager/values-myrsp.yaml should look something like this:
config:
  email: "[email protected]"
  route53:
    awsAccessKeyId: "ABHBP3AEHBF42TWOTL8"
    hostedZone: "Z0567328105IEHEMIXLCO"
  1. In applications/ingress-nginx/values-myrsp.yaml, set vaultCertificate.enabled to false (the default).
  2. In applications/squareone/values-myrsp.yaml, set ingress.tls to true (the default).

Secrets

  1. When generating secrets, create an aws-credentials.ini that looks like this:
{
  data:
    aws-access-key-id: "ABHBP3AEHBF42TWOTL8"
    aws-secret-access-key: "5efa186a1aa0ed7424ea3d500134436d135a5954"
}

This should create a secret in vault under secret/k8s_operator/myrsp/cert-manager with the key aws-secret-access-key.

From this point on proceed with the Phalanx deployment as normal.