Skip to content

validatedpatterns/letsencrypt-chart

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.github
.github
 
 
templates
templates
 
 
tests
tests
 
 
.helmignore
.helmignore
 
 
Chart.yaml
Chart.yaml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
README.md.gotmpl
README.md.gotmpl
 
 
values.yaml
values.yaml
 
 

Repository files navigation

letsencrypt

Version: 0.1.1 Type: application AppVersion: 1.16.0

A Helm chart to add letsencrypt support to Validated Patterns.

Homepage: https://github.com/validatedpatterns/letsencrypt-chart

Maintainers

Name Email Url
Validated Patterns Team [email protected]

Usage

In order to enable this chart in your patterns, please add and edit the following lines to values-AWS.yaml:

letsencrypt:
  region: eu-central-1 # region of the cluster
  server: https://acme-v02.api.letsencrypt.org/directory
  # staging URL
  # server: https://acme-staging-v02.api.letsencrypt.org/directory
  email: [email protected]

clusterGroup:
  applications:
    letsencrypt:
      name: letsencrypt
      namespace: letsencrypt
      project: default
      path: common/letsencrypt

Values

Key Type Default Description
global object depends on the individual settings Dictionary of the global settings to configure this chart
letsencrypt object depends on the individual settings This section contains all the parameters for the letsencrypt chart in order to request CA signed certificates in a Validated Pattern By default if you include this chart you enable the letsencrypt charts on both the *.apps. ingress and on the API endpoint
letsencrypt.certmanagerChannel string "stable-v1" String the channel to install cert-manager from (Defaults to "stable-v1")
letsencrypt.duration string "168h0m0s" Duration of the requested letsencrypt certificates (Defaults to 168h0m0s)
letsencrypt.email string "[email protected]" String containing the email used when requesting certificates to letsencrypt (required) These two lines need tweaking for every deployment. @example.com emails will be rejected by letsencrypt
letsencrypt.nameservers list ["8.8.8.8:53","1.1.1.1:53"] List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) These two are needed because the DNS01 ACME solver needs outside DNS servers and won't really work with openshift's internal split-view DNS servers https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
letsencrypt.organizations list ["hybrid-cloud-patterns.io"] List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io])
letsencrypt.region string "eu-central-1" String that defines the region used by the route53/dns01 resolver in cert-manager (required)
letsencrypt.renewBefore string "28h0m0s" How long before expiration date should the certs be renewed (Defaults to 28h0m0s)
letsencrypt.server string "https://acme-staging-v02.api.letsencrypt.org/directory" String containing the letsencrypt ACME URL (Defaults to the staging server) By default we use the staging URL to avoid any ratelimiting while testing To switch to the production certificates signed by a recognized CA, please switch to the non-staging URL (see values.yaml)
letsencrypt.usages list ["server auth"] List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth])

Autogenerated from chart metadata using helm-docs v1.14.2

Notes

Please be aware of the following gotchas when using this chart:

  1. Once the API certificate has been replaced with the letsencrypt one, the oc commands might fail with x509 unknown certificate authority errors. You need to remove the previous CA from the kubeconfig file. Run: oc config set-cluster <clustername> --certificate-authority="/dev/null" --embed-certs
  2. When you switch to non-staging letsencrypt certificates, things might fail if you asked for too many certificates over the last few days.
  3. The cluster takes ~20-30 mins to fully settle when both the API endpoint and the default ingress certificates are implemented

Implementation

This chart creates a Cloud Credential that is allowed to write and read DNS entries via Route53 in AWS. That credential is then used by cert-manager to prove ownership of the DNS zone and answer the ACME DNS01 challenges.

We ask for a single wildcard certificate for the default Ingress *.apps.domain and one non-wildcard certificate for the API endpoint api.domain.

We use Argo's Server-Side Apply feature to patch in the Ingress Controller and the API endpoint certificates.

Currently we also patch the main cluster-wide Argo instance to set the tls route to reencrypt in order have a proper cert there. Once issue 297 in the gitops-operator repository is fixed, we can drop that.

About

No description or website provided.

Topics

helm-chart

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages