diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 26a477d..cfc73af 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -58,7 +58,7 @@ jobs: env: SSH_AUTH_SOCK: /tmp/ssh_agent.sock run: | - ssh-agent -a $SSH_AUTH_SOCK > /dev/null + ssh-agent -a "${SSH_AUTH_SOCK}" > /dev/null ssh-add - <<< "${{ secrets.DIGITAL_OCEAN_CI_SSH_KEY }}" - name: "run ansible" env: diff --git a/blog/content/projects/open-source/cert-manager-install.md b/blog/content/projects/open-source/cert-manager-install.md new file mode 100644 index 0000000..d2e9c01 --- /dev/null +++ b/blog/content/projects/open-source/cert-manager-install.md @@ -0,0 +1,99 @@ +--- +title: "Cert Manager Install" +date: 2023-08-06T09:49:58-06:00 +draft: false +--- + +I wanted to get SSL cert generation for my home labl. There's absolutely no reason to desire this; I just want my home version of argo-cd to be SSL encrypted by real certs, not self-signed stuff. + +cert-manager seems like it's used everywhere, so I wanted to understand it. I've been working with gitops at work, and it's honestly just a far better way to manage a cluster than anything else I've done, so +I settled on [skaffold](https://skaffold.dev) as a universal front-end to kustomize/helm/plain manifests. + + +## Getting the helm release +First, here's a script that helps you download the helm release. + +```bash +#!/bin/bash -el + +THIS_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" + +mkdir "${THIS_SCRIPT_DIR}/../cert-manager" || true +cd "${THIS_SCRIPT_DIR}/../cert-manager" + +CHART_VERSION=v1.12.3 + +helm repo add jetstack https://charts.jetstack.io || true +helm pull jetstack/cert-manager --untar --untardir cert-manager-${CHART_VERSION} --version "${CHART_VERSION}" +``` + +## Skaffold chart rendering +Here's a skaffold.yaml that can work with that: + +```yaml +--- +apiVersion: skaffold/v4beta4 +kind: Config +metadata: + name: cert-manager +profiles: + - name: local + deploy: + helm: + releases: + - name: "test-cm" + chartPath: cert-manager-v1.12.3/cert-manager + namespace: cert-manager + setValues: + installCRDs: true + createNamespace: true + + manifests: + rawYaml: + - kubernetes-manifests/*.yaml +``` + +The command `skaffold render -p local -v=debug -o /dev/null` is neat. It shows us that the helm template command generated by this release is `helm --kube-context docker-desktop template test-cm cert-manager-v1.12.3/cert-manager --set installCRDs=true --namespace test-cert-manager`. This can be useful for debugging, especially combined with the `--output-dir` flag in helm which writes each kubernetes manifest to a file. I wish skaffold exposed this option; I may see how tricky it is to add. + +## Issuer/ClusterIssuer +This skaffold.yaml is configured to include a `kubernetes-manifests` directory. After creating cert-manager, you have to create either an Issuer or a ClusterIssuer, so this directory is intended to hold those files. Using raw yaml is a little irritating because it doesn't respect namespace changes etc, but it works at a small scale. It might be that you could use kustomize in conjunction with helm to obviate this; I'm not sure. + +If you're using it in a cloud environment, to manage lets-encrypt or whatever, you'll need to add secrets too. I keep to installing them by hand at home because I'm just experimenting; I take notes in READMEs to remind me how to do the rebuild correctly. + +Here's my ClusterIssuer. I use AWS for zone management, and I'm hosting this in my private network so the http challenge is out. HTTP challengesrequire files being resolvable by the lets-encrypt scripts that verify you own a domain that you're about to request the SSL cert for. + +```yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: jam@jamandbees.net + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-production + # Enable the HTTP-01 challenge provider + solvers: + - selector: + dnsZones: + - "playtechnique.io" + dns01: + route53: + region: us-east-1 #default + accessKeyID: + secretAccessKeySecretRef: + name: prod-route53-credentials-secret + key: secret-access-key +# # you can also assume a role with these credentials +# role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager + +``` + +This requires that you have an account available with the correct permissions to create/remove route53 permissions, plus a few extras. More on that in a moment. + +## How do I get the right permissions for route53 and diagnose any other configuration issues? +When you create a certificate request (I use nginx; for me, it's an annotation on the Ingress resource), the destination namespace contains a challenge of type `challenges.acme.cert-manager.io`. Run a describe on it.