If your cluster is not accessible publicly you can leverage DNS validation with Let's Encrypt.
This documentation is based on the https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/
To start this guide, you'll need:
- A deployed Hydrolix cluster using Cloudflare to manage DNS zones for the Hydrolix cluster hostname.
Create token to alter zone
To use Cloudflare, you may use one of two types of tokens. API Tokens allow application-scoped keys bound to specific zones and permissions, while API Keys are globally-scoped keys that carry the same permissions as your account.
API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.
Tokens can be created at User Profile > API Tokens > API Tokens. The following settings are recommended:
- Zone - DNS -Edit
- Zone - Zone - Read
- Zone Resources:
- Include - All Zones
Once the token is created we need to create a secret and store that information into your Kubernetes cluster:
apiVersion: v1 kind: Secret metadata: name: cloudflare-api-token-secret type: Opaque stringData: api-token: $API_TOKEN - TO BE REPLACE
Once you generate the secret configuration you can store it in the yaml file
cloudflare-secret.yaml and deploy it in your cluster:
kubectl apply -f cloudflare-secret.yaml
Create a Certificate Issuer
In this step, we'll create an Issuer leveraging Let's Encrypt production certificate authority. The Issuer contains the following information:
- name - name of the issuer used to generate new certificate requests
- ACME server - server used to generate the ACME challenge
- email - email used for the certificate information
- solvers - used to validate ownership of the domain
The following example generates a certificate using Let's Encrypt. It validates the domain ownership using DNS and manages the creation of the proof via Cloudflare:
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-production-cloudflare namespace: $YOURNAMESPACE - TO BE REPLACE spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: $YOUREMAILMANAGINGCERTIFICATE - TO BE REPLACE privateKeySecretRef: name: letsencrypt-production-cloudflare solvers: - dns01: cloudflare: email: $YOUR_EMAIL_ON_CLOUDFLARE_USED_TO_CREATE_THE_TOKEN - TO BE REPLACE apiTokenSecretRef: name: cloudflare-api-token-secret key: api-token
Store the configuration in the file
issuer-prod-lets-enc-cloudflare.yaml. Use the following command to deploy it to your cluster:
kubectl apply -f issuer-prod-lets-enc-cloudflare.yaml
Create a Certificate Request Configuration
After deploying your certificate issuer you can now create a new certificate request including your domain.
An important requirement for Hydrolix is to store the certificate into the
That's the default location used by Hydrolix to load the certificate.
Here's a configuration example:
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: $YOURNAMESPACE - TO BE REPLACE namespace: $YOURNAMESPACE - TO BE REPLACE spec: secretName: traefik-tls issuerRef: name: letsencrypt-production-cloudflare commonName: $YOURDOMAIN - TO BE REPLACE dnsNames: - $YOURDOMAIN - TO BE REPLACE
After generating this certificate request you can store it in the yaml file
cert-req.yaml and deploy it in your cluster:
kubectl apply -f cert-req.yaml
Return to the Add a Custom Certificate guide to validate your results.
Updated 2 months ago