Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

K8s Certificate Manager with Let’s Encrypt

Daniel Nashed – 5 May 2022 08:38:40

Domino certificate manager works like a charm and is the best option for native Domino 12 certificate management.
But in a K8s environment you might want to better have certificates deployed outside Domino in front of your Domino K8s service.
Mostly you will use a so called Ingress controller, which offloads your TLS traffic.

I took a look into https://cert-manager.io/docs/concepts/certificate last night.
It turned out the issues I ran into only occurred because of a messed up k3s installation.
After I re-created my server, I was ready to go in minutes.


K3s uses Traefik instead of NGINX

All the documentation on the Certificate Manager site, use NGINX as an ingress controller.

K3s uses Traefik as the default Ingress controller. When troubleshooting the configuration I read a lot of settings admins had to do to get it working.
But it turned out it is pretty simple and you just have to specify the right annotation. See the example below.

I am also posting this to make it easier for others. You don't need all the fancy options admins used to get it working on K3s.
It's very straightforward today - it might have needed tweaks earlier.

Installation of Certificate Manager is pretty straightforward and well documented --> https://cert-manager.io/docs/
I just installed it via HELM. And checked the verification steps.


Let's Encrypt configuration

Once it is installed you can just create a configuration.
In my case I am using Let's Encrypt staging for testing:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: nsh@acme.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: le-staging-account-key
    solvers:
    - http01:
        ingress:
          class: traefik


Once the configuration is in place, you can add a cert-manger.io annotation to your Ingress.
That's really all you need to get a certificate from Let's Encrypt.


apiVersion: networking.k8s.io/v1
kind: Ingress

metadata:
  name: domino-http
  namespace: default

  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt-staging

spec:
  tls:
    - secretName: domino-tls
      hosts:
        - k3s.acme.com

  rules:
    - host: k3s.acme.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: domino-http
                port:
                  number: 80


TLS certificates and key stored in K8s secret

As you know me, I am always interested to understand how it works and how the certificate and key is stored.

You can get the secret in JSON format

k get secret/domino-tls -o json


Get certificate from secrect

The certificate is stored in base64. The following command extracts the certificate chain:

k get secret/domino-tls -o json | jq -r ".data.\"tls.crt\"" | openssl base64 -A -d


Get key from secret

The key is also stored base64 encoded

k get secret/domino-tls -o json | jq -r ".data.\"tls.key\"" | openssl base64 -A -d

The result for both commands is the decoded cert chain and key in PEM format.


Conclusion

I think this is good to know and can help if you want to reuse certificates or want to import own certificates.

K8s Certificate Manager is quite powerful and has many different options. Not just Let's Encrypt.
But Let's Encrypt is widely used, free and works like a charm.


Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]