diff --git a/README.md b/README.md index 7f85e4b82..4efbdec4d 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Those secrets get `base64` decoded in a kubernetes pod. ### Create a namespace ```shell -$ kubectl create -f namespace-human-connection.yaml +$ kubectl apply -f namespace-human-connection.yaml ``` Switch to the namespace `human-connection` in your kubernetes dashboard. @@ -105,22 +105,7 @@ Sit back and relax and have a look into your kubernetes dashboard. Wait until all pods turn green and they don't show a warning `Waiting: ContainerCreating` anymore. -### Setup Loadbalancer and Ingress - -Basically follow [this tutorial](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes). - -tl;dr: -```sh -$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml -$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml -``` -And create an ingress service in namespace `human-connection`: -```sh -# you should change the domain name according to your needs -$ kubectl apply -f human-connection/ingress.yaml -``` - -#### Setup HTTPS +#### Setup Ingress and HTTPS Follow [this quick start guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html) and install certmanager via helm and tiller: @@ -134,14 +119,43 @@ $ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/relea $ helm install --name cert-manager --namespace cert-manager stable/cert-manager ``` -We provided some configuration in a folder `human-connection/certmanager`. To -avoid letsencrypt very strict rate limits, the default issuer is -`letsencrypt-staging`. If certmanager is working properly, change it to -`letsencrypt-prod`. Please updated the email address in the configuration, too. +Create letsencrypt issuers. *Change the email address* in these files before +running this command. +```sh +$ kubectl apply -f human-connection/https/ +``` +Create an ingress service in namespace `human-connection`. *Change the domain +name* according to your needs: +```sh +$ kubectl apply -f human-connection/ingress/ +``` +Check the ingress server is working correctly: +```sh +$ curl -kivL -H 'Host: ' 'https://' +``` +If the response looks good, configure your domain registrar for the new IP +address and the domain. + +Now let's get a valid HTTPS certificate. According to the tutorial above, check +your tls certificate for staging: +```sh +$ kubectl describe --namespace=human-connection certificate tls +$ kubectl describe --namespace=human-connection secret tls +``` + +If everything looks good, update the issuer of your ingress. Change the +annotation `certmanager.k8s.io/issuer` from `letsencrypt-staging` to +`letsencrypt-prod` in your ingress configuration in +`human-connection/ingress/ingress.yaml`. ```sh -$ kubectl apply -f human-connection/certmanager/ +$ kubectl apply -f human-connection/ingress/ingress.yaml ``` +Delete the former secret to force a refresh: +``` +$ kubectl --namespace=human-connection delete secret tls +``` +Now, HTTPS should be configured on your domain. Congrats. #### Legacy data migration diff --git a/human-connection/certmanager/issuer-production.yaml b/human-connection/certmanager/issuer-production.yaml deleted file mode 100644 index 93090b160..000000000 --- a/human-connection/certmanager/issuer-production.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Issuer -metadata: - name: letsencrypt-prod - namespace: human-connection -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: yourmail@example.org - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-prod - # Enable the HTTP-01 challenge provider - http01: {} diff --git a/human-connection/certmanager/issuer-staging.yaml b/human-connection/certmanager/issuer-staging.yaml deleted file mode 100644 index c7b4e0cc3..000000000 --- a/human-connection/certmanager/issuer-staging.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Issuer -metadata: - name: letsencrypt-staging - namespace: human-connection -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: yourmail@example.org - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - http01: {} diff --git a/human-connection/https/issuer.yaml b/human-connection/https/issuer.yaml new file mode 100644 index 000000000..8cb554fc6 --- /dev/null +++ b/human-connection/https/issuer.yaml @@ -0,0 +1,34 @@ +--- + apiVersion: certmanager.k8s.io/v1alpha1 + kind: Issuer + metadata: + name: letsencrypt-staging + namespace: human-connection + spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: user@example.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + http01: {} +--- + apiVersion: certmanager.k8s.io/v1alpha1 + kind: Issuer + metadata: + name: letsencrypt-prod + namespace: human-connection + spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: user@example.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + # Enable the HTTP-01 challenge provider + http01: {} diff --git a/human-connection/certmanager/ingress.yaml b/human-connection/ingress/ingress.yaml similarity index 100% rename from human-connection/certmanager/ingress.yaml rename to human-connection/ingress/ingress.yaml