Skip to content

Certificate Manager

Certificates

The default installation of Juno products are deployed with a self signed certificate and will be flagged as untrusted by most browsers. We recommend replacing this certificate and installing the Cert Manager plugin available through the Terra plugin app store.

The Cert Manager plugin installs the third party software cert-manager which provides a easy to use service to automate certificate creation for your configured ingresses.

Setup

The below is an example setup of cert-manager in Orion using a custom CA, see the cert-manager website for further more detailed information on various deployment settings. We will be using a CA file and key in the example, if you wish to use an external ACME provider such as Lets Encrypt then please refer to the cert-manager docs themselves.

Requirements

  • A CA certificate and corresponding private key in separate files locally
    • Certificate in a file called ca.crt
    • Key in ca.key
    • See here for info on generating these files
  • Access to your install's kubectl command
  • A deployed project to use the cert-manager with
  • Cert Manager plugin installed

Method

Deploy CA to the cluster

The following command will deploy your certificates located in your current folder to the cluster under the default cert-manager namespace 

kubectl create secret tls ca-key-pair \
  --cert=ca.crt \
  --key=ca.key \
  -n cert-manager

Setup the issuer

We now need to create an issuer pointing at the previously deployed certificate pair. The following command will create a non-namespace scoped deployment, to restrict the namespace simply include which namespace in the metadata e.g. namespace: test-deployment 

kubectl apply -f - <<'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-ca-issuer
spec:
  ca:
    secretName: ca-key-pair
EOF

Verify

Once the above is deployed we can verify it's working by running the following commands

Firstly ensure the issuer my-ca-issuer is ready to provide certificates, the following command should report back READY: True 

kubectl get clusterissuer my-ca-issuer

Next we can manually issue a certificate by deploying a Certificate and referencing the issuer. Replace the values identified with values pertinent to your deployment of Orion and CA certificate

kubectl apply -f - <<'EOF'
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-service-cert
  namespace: <YOUR NAMESPACE>
spec:
  secretName: my-service-tls
  issuerRef:
    name: my-ca-issuer
    kind: ClusterIssuer
  commonName: my-service.<YOUR DOMAIN>
  dnsNames:
  - my-service.<YOUR DOMAIN>
EOF
Apply to a project

We have our CA setup with the issuer so now we can apply it to our deployed project and have our CA provide a TLS certificate for the hubble ingress.

Edit the project's ingress controller using kubectl

kubectl edit ingress hubble-ingress -n <YOUR PROJECT NAMESPACE>

Under annotations remove the cert-manager.io/issuer: letsencrypt-prod line and replace it with 

cert-manager.io/cluster-issuer: my-ca-issuer

Then append the following to the spec section

  tls: 
    - hosts:                                                                       
        - <PROJECT NAME>.<YOUR DOMAIN>
      secretName: hubble-tls-certs
Save and exit.

Allow some time for the secret to be created and try to access your applications web interface, you should see the certificate provided is now one provided by cert manager

$ kubectl get secrets -n <YOU PROJECT DOMAIN>
NAME               TYPE                DATA   AGE
hubble-tls-certs   kubernetes.io/tls   3      1m

This change to the project ingress will need to be made to all active and future projects deployed.