-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes shellcheck warning about shell globbing
- Loading branch information
1 parent
8bc6f55
commit 90c17d0
Showing
2 changed files
with
100 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| --- | ||
| title: "Cert Manager Install" | ||
| date: 2023-08-06T09:49:58-06:00 | ||
| draft: false | ||
| --- | ||
|
|
||
| I wanted to get SSL cert generation for my home labl. There's absolutely no reason to desire this; I just want my home version of argo-cd to be SSL encrypted by real certs, not self-signed stuff. | ||
|
|
||
| cert-manager seems like it's used everywhere, so I wanted to understand it. I've been working with gitops at work, and it's honestly just a far better way to manage a cluster than anything else I've done, so | ||
| I settled on [skaffold](https://skaffold.dev) as a universal front-end to kustomize/helm/plain manifests. | ||
|
|
||
|
|
||
| ## Getting the helm release | ||
| First, here's a script that helps you download the helm release. | ||
|
|
||
| ```bash | ||
| #!/bin/bash -el | ||
|
|
||
| THIS_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" | ||
|
|
||
| mkdir "${THIS_SCRIPT_DIR}/../cert-manager" || true | ||
| cd "${THIS_SCRIPT_DIR}/../cert-manager" | ||
|
|
||
| CHART_VERSION=v1.12.3 | ||
|
|
||
| helm repo add jetstack https://charts.jetstack.io || true | ||
| helm pull jetstack/cert-manager --untar --untardir cert-manager-${CHART_VERSION} --version "${CHART_VERSION}" | ||
| ``` | ||
|
|
||
| ## Skaffold chart rendering | ||
| Here's a skaffold.yaml that can work with that: | ||
|
|
||
| ```yaml | ||
| --- | ||
| apiVersion: skaffold/v4beta4 | ||
| kind: Config | ||
| metadata: | ||
| name: cert-manager | ||
| profiles: | ||
| - name: local | ||
| deploy: | ||
| helm: | ||
| releases: | ||
| - name: "test-cm" | ||
| chartPath: cert-manager-v1.12.3/cert-manager | ||
| namespace: cert-manager | ||
| setValues: | ||
| installCRDs: true | ||
| createNamespace: true | ||
|
|
||
| manifests: | ||
| rawYaml: | ||
| - kubernetes-manifests/*.yaml | ||
| ``` | ||
| The command `skaffold render -p local -v=debug -o /dev/null` is neat. It shows us that the helm template command generated by this release is `helm --kube-context docker-desktop template test-cm cert-manager-v1.12.3/cert-manager --set installCRDs=true --namespace test-cert-manager`. This can be useful for debugging, especially combined with the `--output-dir` flag in helm which writes each kubernetes manifest to a file. I wish skaffold exposed this option; I may see how tricky it is to add. | ||
|
|
||
| ## Issuer/ClusterIssuer | ||
| This skaffold.yaml is configured to include a `kubernetes-manifests` directory. After creating cert-manager, you have to create either an Issuer or a ClusterIssuer, so this directory is intended to hold those files. Using raw yaml is a little irritating because it doesn't respect namespace changes etc, but it works at a small scale. It might be that you could use kustomize in conjunction with helm to obviate this; I'm not sure. | ||
|
|
||
| If you're using it in a cloud environment, to manage lets-encrypt or whatever, you'll need to add secrets too. I keep to installing them by hand at home because I'm just experimenting; I take notes in READMEs to remind me how to do the rebuild correctly. | ||
|
|
||
| Here's my ClusterIssuer. I use AWS for zone management, and I'm hosting this in my private network so the http challenge is out. HTTP challengesrequire files being resolvable by the lets-encrypt scripts that verify you own a domain that you're about to request the SSL cert for. | ||
|
|
||
| ```yaml | ||
| apiVersion: cert-manager.io/v1 | ||
| kind: ClusterIssuer | ||
| metadata: | ||
| name: letsencrypt-production | ||
| spec: | ||
| acme: | ||
| # The ACME server URL | ||
| server: https://acme-v02.api.letsencrypt.org/directory | ||
| # Email address used for ACME registration | ||
| email: [email protected] | ||
| # Name of a secret used to store the ACME account private key | ||
| privateKeySecretRef: | ||
| name: letsencrypt-production | ||
| # Enable the HTTP-01 challenge provider | ||
| solvers: | ||
| - selector: | ||
| dnsZones: | ||
| - "playtechnique.io" | ||
| dns01: | ||
| route53: | ||
| region: us-east-1 #default | ||
| accessKeyID: <access key id> | ||
| secretAccessKeySecretRef: | ||
| name: prod-route53-credentials-secret | ||
| key: secret-access-key | ||
| # # you can also assume a role with these credentials | ||
| # role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager | ||
| ``` | ||
|
|
||
| This requires that you have an account available with the correct permissions to create/remove route53 permissions, plus a few extras. More on that in a moment. | ||
|
|
||
| ## How do I get the right permissions for route53 and diagnose any other configuration issues? | ||
| When you create a certificate request (I use nginx; for me, it's an annotation on the Ingress resource), the destination namespace contains a challenge of type `challenges.acme.cert-manager.io`. Run a describe on it. |