Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

K8s Certificate Manager with Let’s Encrypt

Daniel Nashed  5 May 2022 10:38:40

Domino certificate manager works like a charm and is the best option for native Domino 12 certificate management.
But in a K8s environment you might want to better have certificates deployed outside Domino in front of your Domino K8s service.
Mostly you will use a so called Ingress controller, which offloads your TLS traffic.

I took a look into https://cert-manager.io/docs/concepts/certificate last night.
It turned out the issues I ran into only occurred because of a messed up k3s installation.
After I re-created my server, I was ready to go in minutes.


K3s uses Traefik instead of NGINX

All the documentation on the Certificate Manager site, use NGINX as an ingress controller.

K3s uses Traefik as the default Ingress controller. When troubleshooting the configuration I read a lot of settings admins had to do to get it working.
But it turned out it is pretty simple and you just have to specify the right annotation. See the example below.

I am also posting this to make it easier for others. You don't need all the fancy options admins used to get it working on K3s.
It's very straightforward today - it might have needed tweaks earlier.

Installation of Certificate Manager is pretty straightforward and well documented --> https://cert-manager.io/docs/
I just installed it via HELM. And checked the verification steps.


Let's Encrypt configuration

Once it is installed you can just create a configuration.
In my case I am using Let's Encrypt staging for testing:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: nsh@acme.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: le-staging-account-key
    solvers:
    - http01:
        ingress:
          class: traefik


Once the configuration is in place, you can add a cert-manger.io annotation to your Ingress.
That's really all you need to get a certificate from Let's Encrypt.


apiVersion: networking.k8s.io/v1
kind: Ingress

metadata:
  name: domino-http
  namespace: default

  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt-staging

spec:
  tls:
    - secretName: domino-tls
      hosts:
        - k3s.acme.com

  rules:
    - host: k3s.acme.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: domino-http
                port:
                  number: 80


TLS certificates and key stored in K8s secret

As you know me, I am always interested to understand how it works and how the certificate and key is stored.

You can get the secret in JSON format

k get secret/domino-tls -o json


Get certificate from secrect

The certificate is stored in base64. The following command extracts the certificate chain:

k get secret/domino-tls -o json | jq -r ".data.\"tls.crt\"" | openssl base64 -A -d


Get key from secret

The key is also stored base64 encoded

k get secret/domino-tls -o json | jq -r ".data.\"tls.key\"" | openssl base64 -A -d

The result for both commands is the decoded cert chain and key in PEM format.


Conclusion

I think this is good to know and can help if you want to reuse certificates or want to import own certificates.

K8s Certificate Manager is quite powerful and has many different options. Not just Let's Encrypt.
But Let's Encrypt is widely used, free and works like a charm.


Comments

1Thorsten Ebers  06.05.2022 15:28:16  K8s Certificate Manager with Let’s Encrypt

hello, thats nice to know. Now that ST12 is around and installs are now only via docker or kubernetes. Now I just need to get knowledge about Kubernetes on proxmox :-).

I was hoping that ST12 could be still used with a domino server install and we coudl use the certmgr.

br Thorsten

2Daniel Nashed  06.05.2022 21:48:30  K8s Certificate Manager with Let’s Encrypt

@Thorsten Ebers, I think the move from Domino to native ST in a container is a positive and logical next step.

On Docker the deployment is very simple from what I did hear.

On K8s it is a bit more complex, but the HCL Academy team is preparing a workshop for Engage, which will be also on DNUG conference.

Actually for K8s and ST 12 you will need NGINX which is not the default Ingress on K3s. But the lab instructions from HCL will show how to switch k3s to NGINX.

It would make sense in future that the HELM charts support other Ingress controllers. But for now it is NGINX. Or you need to modify it on your own.

For Proxmox I would just install a k3s environment. But for a small environment I would probably start with Docker.

And me looking into Certificate Manager on k3s was triggered by a friend on the HCL Academy team working on the ST 12 workshop in parallel.

So he installed it on k3s with NGINX and I used the native Ingress installed on k3 -- Traefik.

The Domino hands-on workshop for K8s at Engage and DNUG will use k3s as well -- but with the default Ingress controller.

So my write up makes sense and is relevant. If you are on K8s, the Domino side does not require TLS. But you could also use TLS on Domino depending on your needs.

But for Sametime on K8s the Certificate Manager makes sense.

-- Daniel

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]