Configure TLS

To enable users to access the web applications required to manage Deeploy, you'll need a TLS certificate that covers the domains you've configured in the previous step. These domains are:

• deeploy.example.com
• api.deeploy.example.com

To obtain a TLS certificate, complete one of the following setups:

Obtain a TLS certificate from Let's Encrypt with Certbot

The easiest way to create your certificate is using Certbot with Docker:

1. Change your your-local-path in the code snippets below. Note: You don't have to create the Let's Encrypt folder in this path, this folder will be created automatically.
2. Run the snippets for both domains and follow the instructions in the terminal. Note: You'll need access to your DNS provider in order to add a TXT record that Let's Encrypt can validate.

deeploy.example.com snippet

docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

api.deeploy.example.com snippet

docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "api.deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

After completing the certificate creation 3 files have been created in the /Your-local-path/letsencrypt1/live/deeploy.example.com/ folder. You need the fullchain.pem and privkey.pem files.

3. Create the deeploy-cert Kubernetes TLS Secret:

kubectl create secret tls deeploy-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com/privkey.pem \
-n istio-system

4. Create the deeploy-api-cert Kubernetes TLS Secret :

kubectl create secret tls deeploy-api-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/privkey.pem \
-n istion-system

Automatic renewal of TLS certificates using Cert Manager

Since Cert Manager is already installed, the following steps are needed to configure auto renewal with DNS01 (see the official Cert Manager guide):

1. Prepare your DNS01 cluster issuer of choice, e.g. AWS Route 53. Follow the instructions by Cert Manager.
2. Create a ClusterIssuer resource that declares how requests for certificates will be fulfilled. To do so, first create a clusterissuer.yaml file with the following values (example for Route53):

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
    name: letsencrypt-prod
spec:
    acme:
        email: <your-email>
        server: https://acme-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
            name: cert-manager-issuer-secret-key
        solvers:
        - selector: {}
          dns01:
            route53:
              region: <your-aws-region>

3. Create the Cluster:

kubectl apply -f clusterissuer.yaml

4. Create a "Certificate" resource that declares the type of certificate you'll request from Let's Encrypt. To do so, first create a certificate.yaml file, replacing deeploy.example.com with yours:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: deeploy-cert
  namespace: istio-system
spec:
  secretName: deeploy-cert
  dnsNames:
  - deeploy.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: deeploy-api-cert
  namespace: istio-system
spec:
  secretName: deeploy-api-cert
  dnsNames:
  - api.deeploy.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

5. Create the Certificate:

kubectl apply -f certificate.yaml