Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cert-management tutorials for Gardener. #30

Merged
merged 1 commit into from
Nov 21, 2018
+136 −0
Merged

Add cert-management tutorials for Gardener. #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Add cert-management tutorials for Gardener.
  • Loading branch information
@timuthy
timuthy committed Nov 21, 2018
commit 26591350dd11edfb0cb784f28356e58d2e1e13b6
41 changes: 41 additions & 0 deletions ...mentation/050-tutorials/content/howto/gardener_certificate_management/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
title: Gardener Certificate Management
description: "Configure Certificate Management For Shoot Clusters"
type: tutorial-page
level: intermediate
index: 10
category: certificates
scope: operator
---

# Gardener Certificate Management

## Introduction
Gardener allows Shoot clusters to request and receive verified X.509 certificates for Ingresses out of the box. Therefore, Gardener needs to be set up with certain configuration parameters.

## Gardener Helm Installation
If you choose to deploy Gardener via Helm, the following sections help you to set up certificate management for Shoot clusters.
### Configuration
The configuration for certificate management is passed as a value `.controller.certificateManagement` to the Gardener chart. An example of how the configuration looks like can be found in `example/10-secret-certificate-management-config.yaml`.

> Since the certificate request is forwarded to Let's Encrypt which asks Gardener to prove the ownership of the Shoot cluster's domain by **DNS01 challenges**, it is fundamental to add the respective cloud DNS provider account(s) to this configuration. Usually, these are the same accounts used for Gardener's **Default Domains**.

### Feature Gate
To enable the feature itself, the Feature Gate `CertificateManagement: true` must be passed as a value `.controller.featureGates` to the Gardener chart.

```yaml
featureGates:
CertificateManagement: true
```

## Local Development
If you want to enable certificate management for Shoot clusters in your Gardener development environment, please refer to the sections below.
### Configuration
The configuration for certificate management must be present as a **Secret** in the Garden cluster. An example of how the configuration looks like can be found in `example/10-secret-certificate-management-config.yaml`.
> Since the certificate request is forwarded to Let's Encrypt which asks Gardener to prove the ownership of the Shoot cluster's domain by **DNS01 challenges**, it is fundamental to add the respective cloud DNS provider account(s) to this configuration. Usually, these are the same accounts used for Gardener's **Default Domains**.
### Feature Gate
To enable the feature itself, the Feature Gate `CertificateManagement: true` must be enabled in `/dev/20-componentconfig-gardener-controller-manager.yaml`.
```yaml
featureGates:
CertificateManagement: true
```
95 changes: 95 additions & 0 deletions website/documentation/050-tutorials/content/howto/x509_certificates/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
---
title: Request X.509 Certificates
description: "X.509 Certificates For TLS Communication"
type: tutorial-page
level: beginner
index: 10
category: certificates
scope: app-developer
---

# Request X.509 Certificates

## Introduction
Dealing with applications on Kubernetes which offer service endpoints (e.g. HTTP) may also require you to enable a secured communication via SSL/TLS. Gardener let's you request a commonly trusted X.509 certificate for your application endpoint. Furthermore, Gardener takes care about the renewal process for your requested certificate.

## Restrictions

### Domains
Certificates can only be received for **Default Domains**. Custom domains for Shoot clusters are not covered by this service.

### Character Restrictions
Due to the ACME protocol specification, certificates for domains exceeding a limit of 64 characters cannot be issued.

## Process
### 1. Create Ingress Resource (optional)
In order to request a certificate for a domain managed by Gardener an **Ingress** is required. In case you don't already have one, take the following as an example:

```yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: vuejs-ingress
spec:
tls:
# Gardener managed default domain.
# Must not exceed 64 characters.
- hosts:
- test.ingress.<GARDENER-CLUSTER>.<GARDENER-PROJECT>.shoot.example.com
# Certificate and private key reside in this secret.
secretName: testsecret-tls
rules:
- host: test.ingress.<GARDENER-CLUSTER>.<GARDENER-PROJECT>.shoot.example.com
http:
paths:
- backend:
serviceName: vuejs-svc
servicePort: 8080
```

Please note, Ingress resources aren't required to be properly functional in this context. They can also be used to solely request certificates, which in turn can be used for further scenarios.

### 2. Label Ingress Resource
The label `garden.sapcloud.io/purpose: managed-cert` instructs Gardener to handle certificate issuance for the domains found in labeled Ingress.
> Domains not managed by Gardener are ignored.

```yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tls-example-ingress
labels:
# Let Gardener manage certificates for this Ingress.
garden.sapcloud.io/purpose: managed-cert
...
```

### 3. Request Status
> Processing a certificate request takes several minutes due to domain ownership verification and ACME communication.

Follow the **Events** of the **Ingress** resource to get latest updates about the request progress:

```
$ kubectl -n <Namespace> describe ingress <Ingress Name>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 11m nginx-ingress-controller Ingress default/vuejs-ingress
Normal Certificate 4m52s Cert-Broker-Ingress-Control Certificate request initiated
Normal CreateOrder 4m49s Cert-Broker-Ingress-Control Created new ACME order, attempting validation...
Normal DomainVerified 2m33s Cert-Broker-Ingress-Control Domain "test.ingress.<GARDENER-CLUSTER>.<GARDENER-PROJECT>.shoot.example.com" verified with "dns-01" validation
Normal IssueCert 20s Cert-Broker-Ingress-Control Issuing certificate...
...
```

The following events will appear as soon as the certificate has been issued to your cluster:

```
Events:
...
Normal CertObtained 14s Cert-Broker-Ingress-Control Obtained certificate from ACME server
Normal CertIssued 14s Cert-Broker-Ingress-Control Certificate issued successfully
```

## Ingress Changes
Changes to the `.spec.tls` section of your Ingress will subsequently affect certificate management. Thus, it is possible to request certificates for changed or extended domains any time. Changing the `secretName` in your Ingress is not encouraged, though.