-
Notifications
You must be signed in to change notification settings - Fork 1
Configuring cert‐manger
gpfrancis edited this page Feb 2, 2024
·
10 revisions
cert-manager automates the process of creating and renewing TLS certificates. The Phalanx documentation for configuring cert-manager is here. For our configuration one minor change is required since we are using AWS Route53 to host only the tls
subdomains and not lsst.ac.uk
itself.
We'll assume that the RSP being deployed is going to be hosted at myrsp.lsst.ac.uk
, obviously replace "myrsp" in the following with whatever the correct name is.
- Create a new hosted zone named
tls.myrsp.lsst.ac.uk
in Route 53. Make a note of its zone ID. - Add an NS glue record for
tls.myrsp.lsst.ac.uk
to thelsst.ac.uk
zone in DDI. (This is slightly different to the Phalanx documentation.)
Example of an NS record in DDI (get the value to use for the DNS server from the NS records in the Route53 zone).
- In DDI, create a CNAME from
_acme-challenge.myrsp.lsst.ac.uk
to_acme-challenge.tls.myrsp.lsst.ac.uk
- Create a new IAM user and attach an inline IAM policy as per the Phalanx documentation.
- Create an access key for that user. Make a note of the access key and secret key pair.
- In
environments/values-myrsp.yaml
,applications.cert-manager
andapplications.squareone
must be set totrue
. -
applications/cert-manager/values-myrsp.yaml
should look something like this:
config:
email: "[email protected]"
route53:
awsAccessKeyId: "ABHBP3AEHBF42TWOTL8"
hostedZone: "Z0567328105IEHEMIXLCO"
- In
applications/ingress-nginx/values-myrsp.yaml
, setvaultCertificate.enabled
tofalse
(the default). - In
applications/squareone/values-myrsp.yaml
, setingress.tls
totrue
(the default).
- When generating secrets, create an
aws-credentials.ini
that looks like this:
{
data:
aws-access-key-id: "ABHBP3AEHBF42TWOTL8"
aws-secret-access-key: "5efa186a1aa0ed7424ea3d500134436d135a5954"
}
This should create a secret in vault under secret/k8s_operator/myrsp/cert-manager
with the key aws-secret-access-key
.
From this point on proceed with the Phalanx deployment as normal.