Skip to content

Commit 28c6dc6

Browse files
committed
Added letsencrypt for default ingress
1 parent 34056e0 commit 28c6dc6

1 file changed

Lines changed: 99 additions & 0 deletions

File tree

  • content/cluster-installation/stackit

content/cluster-installation/stackit/index.md

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -366,3 +366,102 @@ Re-run until nothing pending; `machine-approver` normally takes over post-bootst
366366
```
367367

368368
Console URL and `kubeadmin` password are printed on success.
369+
370+
## Day-2: default Ingress TLS
371+
372+
### Let’s Encrypt via cert-manager (DNS-01 / STACKIT)
373+
374+
Install **cert-manager Operator for Red Hat OpenShift** from OperatorHub (align minor with cluster; ships CRDs + controller).
375+
376+
**Webhook identity** — the [STACKIT cert-manager webhook](https://github.com/stackitcloud/stackit-cert-manager-webhook) needs API credentials for DNS in the project that **owns** the public zone for `*.apps` (typically the same project as the cluster).
377+
378+
```shell
379+
stackit service-account create --name cert-manager
380+
# Export the service-account key JSON from the portal; keep it off shell history and out of docs.
381+
```
382+
383+
Grant that principal **DNS admin** (or equivalent) on the zone:
384+
385+
![](sa-webui.png)
386+
387+
Secret name below should match Helm `values` / webhook config for the STACKIT SA file:
388+
389+
```shell
390+
oc create secret generic stackit-sa-authentication \
391+
-n cert-manager \
392+
--from-file=sa.json=./stackit-cert-manager-sa.json
393+
```
394+
395+
**Webhook** (Helm):
396+
397+
```shell
398+
helm repo add stackit-cert-manager-webhook https://stackitcloud.github.io/stackit-cert-manager-webhook
399+
helm repo update
400+
helm install stackit-cert-manager-webhook stackit-cert-manager-webhook/stackit-cert-manager-webhook \
401+
--namespace cert-manager \
402+
--create-namespace
403+
404+
oc -n cert-manager adm policy add-scc-to-user nonroot-v2 -z stackit-cert-manager-webhook
405+
```
406+
407+
If the chart exposes secret name / key path values, point them at `stackit-sa-authentication` / `sa.json`.
408+
409+
**ClusterIssuer** (production ACME; use Let’s Encrypt **staging** while debugging):
410+
411+
```yaml
412+
apiVersion: cert-manager.io/v1
413+
kind: ClusterIssuer
414+
metadata:
415+
name: letsencrypt-prod
416+
spec:
417+
acme:
418+
server: https://acme-v02.api.letsencrypt.org/directory
419+
email: Repalce # Replace this with your email address
420+
privateKeySecretRef:
421+
name: letsencrypt-prod
422+
solvers:
423+
- dns01:
424+
webhook:
425+
solverName: stackit
426+
groupName: acme.stackit.de
427+
config:
428+
projectId: "<STACKIT_PROJECT_ID>"
429+
```
430+
431+
**Wildcard `Certificate`** in `openshift-ingress` for the default router:
432+
433+
```yaml
434+
apiVersion: cert-manager.io/v1
435+
kind: Certificate
436+
metadata:
437+
name: letsencrypt-wildcard
438+
namespace: openshift-ingress
439+
spec:
440+
secretName: letsencrypt-wildcard
441+
issuerRef:
442+
group: cert-manager.io
443+
name: letsencrypt-prod
444+
kind: ClusterIssuer
445+
commonName: '*.apps.cluster-a.openshift.runs.onstackit.cloud' # project must be the owner of this zone
446+
duration: 8760h0m0s
447+
dnsNames:
448+
- '*.apps.cluster-a.openshift.runs.onstackit.cloud'
449+
```
450+
451+
Match `dnsNames` / `commonName` to your apps subdomain. The `projectId` in the issuer must be allowed to publish `_acme-challenge` for that zone.
452+
453+
**Observe issuance** (DNS-01 can take several minutes):
454+
455+
```shell
456+
oc -n openshift-ingress get certificate,order,challenge
457+
oc -n openshift-ingress describe certificate letsencrypt-wildcard
458+
```
459+
460+
**Default `IngressController`** → issued secret:
461+
462+
```shell
463+
oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge \
464+
--patch '{"spec":{"defaultCertificate":{"name":"letsencrypt-wildcard"}}}'
465+
```
466+
467+
Until the secret is populated, the router keeps serving the installer default; after issuance, HAProxy reload picks up the Let’s Encrypt chain.

0 commit comments

Comments
 (0)