Setup a new ClusterIssuer

2025-12-13 07:45:56 +00:00 · 2020-12-14 13:53:55 +01:00 · 2020-12-14 13:53:55 +01:00 · 95079daa0c
commit 95079daa0c
parent be62c7d284
2 changed files with 105 additions and 35 deletions
--- a/deployment/digital-ocean/https/README.md
+++ b/deployment/digital-ocean/https/README.md
@ -3,7 +3,7 @@
 {% tabs %}
 {% tab title="Helm 3" %}

-Follow [this quick start guide](https://cert-manager.io/next-docs/installation/kubernetes/) and install certmanager via Helm 3:
+Follow [this quick start guide](https://cert-manager.io/docs/) and install certmanager via Helm 3:

 ## … Via Kubernetes Directly

--- a/deployment/digital-ocean/https/templates/issuer.template.yaml
+++ b/deployment/digital-ocean/https/templates/issuer.template.yaml
@ -1,36 +1,106 @@
+# ---
+# # used while installation as first setup for testing purposes, recognize 'server: https://acme-staging-v02…'
+# apiVersion: cert-manager.io/v1
+# kind: Issuer
+# metadata:
+#   name: letsencrypt-staging
+#   namespace: ocelot-social
+# spec:
+#   acme:
+#     # The ACME server URL
+#     server: https://acme-staging-v02.api.letsencrypt.org/directory
+#     # Email address used for ACME registration
+#     email: user@example.com
+#     # Name of a secret used to store the ACME account private key
+#     privateKeySecretRef:
+#       name: letsencrypt-staging
+#     # Enable the HTTP-01 challenge provider
+#     http01: {}
 ---
-  # used while installation as first setup for testing purposes, recognize 'server: https://acme-staging-v02…'
-  apiVersion: certmanager.k8s.io/v1
-  kind: Issuer
-  metadata:
-    name: letsencrypt-staging
-    namespace: ocelot-social
-  spec:
-    acme:
-      # The ACME server URL
-      server: https://acme-staging-v02.api.letsencrypt.org/directory
-      # Email address used for ACME registration
-      email: user@example.com
-      # Name of a secret used to store the ACME account private key
-      privateKeySecretRef:
-        name: letsencrypt-staging
-      # Enable the HTTP-01 challenge provider
-      http01: {}
+# used while installation as first setup for testing purposes, recognize 'server: https://acme-staging-v02…'
+# !!! replace the e-mail for expiring certificates, see below !!!
+# !!! create the used secret, see below !!!
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: ocelot-social
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: user@example.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-staging-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+# ---
+# # used after installation for production, recognize 'server: https://acme-v02…'
+# apiVersion: cert-manager.io/v1
+# kind: Issuer
+# metadata:
+#   name: letsencrypt-prod
+#   namespace: ocelot-social
+# spec:
+#   acme:
+#     # The ACME server URL
+#     server: https://acme-v02.api.letsencrypt.org/directory
+#     # Email address used for ACME registration
+#     email: user@example.com
+#     # Name of a secret used to store the ACME account private key
+#     privateKeySecretRef:
+#       name: letsencrypt-prod
+#     # Enable the HTTP-01 challenge provider
+#     http01: {}
 ---
-  # used after installation for production, recognize 'server: https://acme-v02…'
-  apiVersion: certmanager.k8s.io/v1
-  kind: Issuer
-  metadata:
-    name: letsencrypt-prod
-    namespace: ocelot-social
-  spec:
-    acme:
-      # The ACME server URL
-      server: https://acme-v02.api.letsencrypt.org/directory
-      # Email address used for ACME registration
-      email: user@example.com
-      # Name of a secret used to store the ACME account private key
-      privateKeySecretRef:
-        name: letsencrypt-prod
-      # Enable the HTTP-01 challenge provider
-      http01: {}
+# used after installation for production, recognize 'server: https://acme-v02…'
+# !!! replace the e-mail for expiring certificates, see below !!!
+# !!! create the used secret, see below !!!
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: ocelot-social
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: user@example.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-prod-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+# fill in your letsencrypt-staging-issuer-account-key
+# generate base 64: $ echo -n '<your data>' | base64
+apiVersion: v1
+data:
+  tls.key: <your base 64 data>
+kind: Secret
+metadata:
+  name: letsencrypt-staging-issuer-account-key
+  namespace: ocelot-social
+type: Opaque
+---
+# fill in your letsencrypt-prod-issuer-account-key
+# generate base 64: $ echo -n '<your data>' | base64
+apiVersion: v1
+data:
+  tls.key: <your base 64 data>
+kind: Secret
+metadata:
+  name: letsencrypt-prod-issuer-account-key
+  namespace: ocelot-social
+type: Opaque