Cert-manager Integration with Let's Encrypt

TODO - these pages need to be revisited and updated after TLS and Organizations updates.

If you decide to use automatically managed TLS certificates, you can install cert-manager and configure according to your requirements. Follow cert-manager documentation for details specific to your environment. In this example, we will show you how to get free TLS certificate from non-profit Let’s Encrypt Certificate Authority.

1. Add CAA record to your DNS domain

company.com. CAA 0 issue "letsencrypt.org"

2. Create namespace and install cert-manager. Please make sure you’re using Helm version 3.3.1 to avoid bug with deeply nested CRDs.

$ helm repo add jetstack https://charts.jetstack.io
$ helm --namespace cert-manager install cert-manager \
    jetstack/cert-manager --set installCRDs=true \
    --create-namespace

3. Configure ClusterIssuer Prepare configuration of ACME issuer pointing to Let’s Encrypt API into file issuer-letsencrypt-production.yaml. Don’t forget to set email value to valid e-mail address.

# File issuer-letsencrypt-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ENTER-YOUR-EMAIL-HERE
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
    - http01:
        ingress:
          class: nginx

Apply configuration using command:

$ kubectl -n cert-manager apply -f issuer-letsencrypt-production.yaml

4. Pay attention to the following configuration options of the GoodData.CN Helm Chart in the upcoming steps as these are closely related to the usage of cert-manager:

• dex.ingress.authHost
• dex.ingress.annotations
• dex.ingress.tls.authSecretName