Configure TLS
To enable users to access the web applications required to manage Deeploy, you'll need a TLS certificate that covers the domains you've configured in the previous step. These domains are:
deeploy.example.com
api.deeploy.example.com
To obtain a TLS certificate, complete one of the following setups:
- Obtain a TLS certificate from Let's Encrypt with Certbot
- Automatic renewal of TLS certificates using Cert Manager
The easiest way to create your certificate is using Certbot with Docker:
- Change your
your-local-path
in the code snippets below. Note: You don't have to create theLet's Encrypt
folder in this path, this folder will be created automatically. - Run the snippets for both domains and follow the instructions in the terminal. Note: You'll need access to your DNS provider in order to add a
TXT
record thatLet's Encrypt
can validate.
deeploy.example.com snippet
docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
api.deeploy.example.com snippet
docker run -it --rm --name letsencrypt \
-v /Your-local-path/letsencrypt1:/etc/letsencrypt \
-v /Your-local-path/letsencrypt2:/var/lib/letsencrypt \
certbot/certbot:latest certonly -d "api.deeploy.example.com" \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
After completing the certificate creation 3 files have been created in the /Your-local-path/letsencrypt1/live/deeploy.example.com/
folder. You need the fullchain.pem
and privkey.pem
files.
- Create the
deeploy-cert
Kubernetes TLS Secret:
kubectl create secret tls deeploy-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com/privkey.pem \
-n istio-system
- Create the
deeploy-api-cert
Kubernetes TLS Secret :
kubectl create secret tls deeploy-api-cert \
--cert /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/fullchain.pem \
--key /Your-local-path/letsencrypt1/live/deeploy.example.com-0001/privkey.pem \
-n istion-system
Since Cert Manager is already installed, the following steps are needed to configure auto renewal with DNS01 (see the official Cert Manager guide):
- Prepare your DNS01 cluster issuer of choice, e.g. AzureDNS. Follow the instructions by Cert Manager.
- Create a
ClusterIssuer
resource that declares how requests for certificates will be fulfilled. To do so, first create aclusterissuer.yaml
file with the following values (example for Route53):
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: <your-email>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-issuer-secret-key
solvers:
- selector: {}
dns01:
route53:
region: <your-aws-region>
- Create the Cluster:
kubectl apply -f clusterissuer.yaml
- Create a "Certificate" resource that declares the type of certificate you'll request from Let's Encrypt. To do so, first create a certificate.yaml file, replacing deeploy.example.com with yours:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: deeploy-cert
namespace: istio-system
spec:
secretName: deeploy-cert
dnsNames:
- deeploy.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: deeploy-api-cert
namespace: istio-system
spec:
secretName: deeploy-api-cert
dnsNames:
- api.deeploy.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
- Create the Certificate:
kubectl apply -f certificate.yaml