K8s Certificate Manager with Let’s Encrypt
Daniel Nashed – 5 May 2022 08:38:40
Domino certificate manager works like a charm and is the best option for native Domino 12 certificate management.
But in a K8s environment you might want to better have certificates deployed outside Domino in front of your Domino K8s service.
Mostly you will use a so called Ingress controller, which offloads your TLS traffic.
I took a look into https://cert-manager.io/docs/concepts/certificate last night.
It turned out the issues I ran into only occurred because of a messed up k3s installation.
After I re-created my server, I was ready to go in minutes.
K3s uses Traefik instead of NGINX
All the documentation on the Certificate Manager site, use NGINX as an ingress controller.
K3s uses Traefik as the default Ingress controller. When troubleshooting the configuration I read a lot of settings admins had to do to get it working.
But it turned out it is pretty simple and you just have to specify the right annotation. See the example below.
I am also posting this to make it easier for others. You don't need all the fancy options admins used to get it working on K3s.
It's very straightforward today - it might have needed tweaks earlier.
Installation of Certificate Manager is pretty straightforward and well documented --> https://cert-manager.io/docs/
I just installed it via HELM. And checked the verification steps.
Let's Encrypt configuration
Once it is installed you can just create a configuration.
In my case I am using Let's Encrypt staging for testing:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: nsh@acme.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: le-staging-account-key
solvers:
- http01:
ingress:
class: traefik
Once the configuration is in place, you can add a cert-manger.io annotation to your Ingress.
That's really all you need to get a certificate from Let's Encrypt.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: domino-http
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- secretName: domino-tls
hosts:
- k3s.acme.com
rules:
- host: k3s.acme.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: domino-http
port:
number: 80
TLS certificates and key stored in K8s secret
As you know me, I am always interested to understand how it works and how the certificate and key is stored.
You can get the secret in JSON format
k get secret/domino-tls -o json
Get certificate from secrect
The certificate is stored in base64. The following command extracts the certificate chain:
k get secret/domino-tls -o json | jq -r ".data.\"tls.crt\"" | openssl base64 -A -d
Get key from secret
The key is also stored base64 encoded
k get secret/domino-tls -o json | jq -r ".data.\"tls.key\"" | openssl base64 -A -d
The result for both commands is the decoded cert chain and key in PEM format.
Conclusion
I think this is good to know and can help if you want to reuse certificates or want to import own certificates.
K8s Certificate Manager is quite powerful and has many different options. Not just Let's Encrypt.
But Let's Encrypt is widely used, free and works like a charm.
- Comments [2]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}