AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
Voyager
github-icon twitterx-icon
TRY NOW FREE
  • Welcome
  • Concepts
  • Setup
  • Ingress
    Cert Manager
  • Voyager Operator
    Voyager CLI

New to Voyager? Please start here.

Issue Let’s Encrypt certificate using HTTP-01 challenge with cert-manager

1. Setup Issuer/ClusterIssuer

Setup a ClusterIssuer (Or Issuer) for your Ingress by applying this clusterissuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            name: test-ingress

Here test-ingress is the name of ingress you’re going to create.

IngressClass or IngressName?

If the ingressClass field is specified, cert-manager will create new Ingress resources in order to route traffic to the ‘acmesolver’ pods, which are responsible for responding to ACME challenge validation requests. If the ingress.name field is specified, cert-manager will edit the named ingress resource in order to solve HTTP01 challenges. Since Voyager allocates a separate external IP for each Ingress resource, use ingress.name mechanism for Voyager.

2. Create Ingress

We are going to use a nginx server as the backend. To deploy nginx server, run the following commands:

kubectl run nginx --image=nginx
kubectl expose deployment nginx --name=web --port=80 --target-port=80

Now create your ingress by applying ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: voyager
    certmanager.k8s.io/cluster-issuer: "letsencrypt-staging"
    certmanager.k8s.io/acme-challenge-type: http01
spec:
  tls:
    - hosts:
        - kiteci.appscode.ninja
      secretName: quickstart-kiteci-tls
  rules:
    - http:
        paths:
          - backend:
              service:
                name: web
                port:
                  number: 80
            path: /
            pathType: Prefix

Then you’ll see that a Certificate crd is created automatically for this ingress

kubectl get certificates.certmanager.k8s.io --all-namespaces

But the certificate is still invalid.

Now take the EXTERNAL-IP from the corresponding service:

kubectl get svc

NAMESPACE       NAME                                          TYPE           CLUSTER-IP     EXTERNAL-IP       PORT(S)                      AGE
default         voyager-test-ingress                        LoadBalancer   10.7.249.7     35.239.22.162     80:31919/TCP,443:32751/TCP   44s

Create an A-record for kiteci-dns.appscode.ninja mapped to 35.239.22.162.

Wait till this is resolved:

dig +short kiteci-dns.appscode.ninja

Describe that certificate and wait until you see Certificate issued successfully when you describe the certificate.

kubectl describe certificates.certmanager.k8s.io quickstart-kiteci-tls

Let’s Encrypt does not support issuing wildcard certificates with HTTP-01 challenges. To issue wildcard certificates, you must use the DNS-01 challenge.

The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate. If the commonName field is omitted, the first element in the list will be the common name.

What's on this Page

Search
Improve This Page