External CA and Ingress Controller Example

This section describes how to configure an application to use Ingress Controller to both expose its TLS-based service and to use an External CA for signing CERTIFICATEs.

NOTE that alternatively an Internal CA could be used with an Ingress Controller -based solution as well.

Prerequisites

This example requires that:

  • The LetsEncrypt CA in the public internet can send an http01 challenge to the FQDN of the StarlingX’s floating OAM IP Address.

  • The StarlingX has access to the kuard demo application at gcr.io/kuar-demo/kuard-amd64:blue.

  • Ensure that your StarlingX administrator has shared the local registry’s public repository’s credentials/secret with the namespace where you will create certificates. This will allow you to leverage the registry.local:9001/public/cert-manager-acmesolver image. See Set up a Public Repository in Local Docker Registry.

  • Ensure that your StarlingX administrator has enabled use of the cert-manager apiGroups in your RBAC policies.

  • Ensure that your StarlingX administrator has opened port 80 and 443 in GlobalNetworkPolicy.

Procedure

  1. Create a LetsEncrypt ISSUER in the default namespace by applying the following manifest file.

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: letsencrypt-prod
      namespace: default
    spec:
      acme:
        # The ACME server URL
        server: https://acme-v02.api.letsencrypt.org/directory
        # Email address used for ACME registration
        email: dave.user@hotmail.com
        # Name of a secret used to store the ACME account private key
        privateKeySecretRef:
          name: letsencrypt-prod
        # Enable the HTTP-01 challenge provider
        solvers:
        - http01:
            ingress:
              class: nginx
    
  2. Create a deployment of the kuard demo application (https://github.com/kubernetes-up-and-running/kuard) with an INGRESS using cert-manager by applying the following manifest file:

    Where both starlingx.mycompany.com and kuard.starlingx.mycompany.com are FQDNs that map to the OAM Floating IP of StarlingX.

    (You should substitute these for FQDNs for the StarlingX installation.)

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: kuard
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: kuard
      template:
        metadata:
          labels:
            app: kuard
        spec:
          containers:
          - name: kuard
            image: gcr.io/kuar-demo/kuard-amd64:blue
            imagePullPolicy: Always
            ports:
            - containerPort: 8080
              protocol: TCP
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: kuard
      labels:
        app: kuard
    spec:
      ports:
        - port: 80
          targetPort: 8080
          protocol: TCP
      selector:
        app: kuard
    ---
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        cert-manager.io/issuer: "letsencrypt-prod"
      name: kuard
    spec:
      ingressClassName: nginx
      tls:
      - hosts:
        - kuard.starlingx.mycompany.com
        secretName: kuard-ingress-tls
      rules:
        - host: kuard.starlingx.mycompany.com
          http:
            paths:
            - backend:
                service:
                  name: kuard
                  port:
                    number: 80
              path: /
              pathType: Prefix
    
  3. Access the kuard demo from your browser to inspect and verify that the certificate is signed by LetsEncrypt CA. For this example, the URL would be https://kuard.starlingx.mycompany.com.