diff --git a/README.md b/README.md index 70438c754..026387628 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Todos: - [x] check labels and selectors if they all are correct - [x] configure NGINX from yml -- [ ] configure Let's Encrypt cert-manager from yml +- [x] configure Let's Encrypt cert-manager from yml - [x] configure ingress from yml - [x] configure persistent & shared storage between nodes - [x] reproduce setup locally @@ -122,16 +122,25 @@ $ kubectl apply -f human-connection/ingress.yaml #### Setup SSL -Follow [this quick start guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html): +Follow [this quick start guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html) +and install certmanager via helm and tiller: ``` $ kubectl create serviceaccount tiller --namespace=kube-system $ kubectl create clusterrolebinding tiller-admin --serviceaccount=kube-system:tiller --clusterrole=cluster-admin $ helm init --service-account=tiller $ helm repo update $ helm install stable/nginx-ingress --name quickstart -$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/00-crds.yaml +$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/00-crds.yaml $ helm install --name cert-manager --namespace cert-manager stable/cert-manager -$ kubectl apply -f certmanager/ +``` + +We provided some configuration in a folder `human-connection/certmanager`. To +avoid letsencrypt very strict rate limits, the default issuer is +`letsencrypt-staging`. If certmanager is working properly, change it to +`letsencrypt-prod`. Please updated the email address in the configuration, too. + +```sh +$ kubectl apply -f human-connection/certmanager/ ``` #### Legacy data migration diff --git a/certmanager/ingress.yaml b/human-connection/certmanager/ingress.yaml similarity index 84% rename from certmanager/ingress.yaml rename to human-connection/certmanager/ingress.yaml index d0ef9a2af..4e55adaf2 100644 --- a/certmanager/ingress.yaml +++ b/human-connection/certmanager/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - master.nitro.human-connection.org + - nitro-master.human-connection.org secretName: quickstart-example-tls rules: - - host: master.nitro.human-connection.org + - host: nitro-master.human-connection.org http: paths: - path: / diff --git a/certmanager/issuer-production.yaml b/human-connection/certmanager/issuer-production.yaml similarity index 91% rename from certmanager/issuer-production.yaml rename to human-connection/certmanager/issuer-production.yaml index 6977a2178..93090b160 100644 --- a/certmanager/issuer-production.yaml +++ b/human-connection/certmanager/issuer-production.yaml @@ -8,7 +8,7 @@ spec: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration - email: letsencrypt-prod@roschaefer.de + email: yourmail@example.org # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod diff --git a/certmanager/issuer-staging.yaml b/human-connection/certmanager/issuer-staging.yaml similarity index 91% rename from certmanager/issuer-staging.yaml rename to human-connection/certmanager/issuer-staging.yaml index ef0f40faa..c7b4e0cc3 100644 --- a/certmanager/issuer-staging.yaml +++ b/human-connection/certmanager/issuer-staging.yaml @@ -8,7 +8,7 @@ spec: # The ACME server URL server: https://acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration - email: letsencrypt-staging@roschaefer.de + email: yourmail@example.org # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-staging