Versions Compared

Old Version 47

changes.mady.by.user Jonas Thungren

Saved on

compared with

New Version 48

changes.mady.by.user Jonas Thungren

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt
nametls-intro

TLS
Anchor
tls-preparations
tls-preparations

It is recommended to install Usage Engine Private Edition with TLS enabled, and there are two different ways of providing the required certificate:

  • Certcert-manager

  • Secret

Here follows an explanation of the preparations required for each of the two.

Please ensure Cert-manager CRD resources are installed prior to Cert-manager installation.

Helm install command assumes service account for Cert-manager already exists

.

Excerpt
nametls-cert-manager-part-1

cert-manager

The most automated and secure way to provide the certificate is to use https://cert-manager.io/ .

If it is not already installed in your Kubernetes cluster, follow these instructions on how to install the cert-manager https://cert-manager.io/docs/installation/helm/ chart. Make sure to install a version that is listed in the Compatibility Matrix.

Info
Code Block
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.14.4 \
  --set serviceAccount.create=false \
  --set serviceAccount.name=cert-manager

Service Account name set to http://metadata.name under iam.serviceAccounts portion in the uepe-eks.yaml file in Set Up Kubernetes Cluster - AWS section

Namespace set to metadata.namespace under iam.serviceAccounts portion in the uepe-eks.yaml file in Set Up Kubernetes Cluster - AWS section

Excerpt
nametls-cert-manager-part-2

Cert-manager must be backed by a certificate authority (CA) to sign the certificates. Once configured with a CA, cert-manager will automatically sign and renew certificates for the system as needed. Configuring cert-manager with a CA is done by creating an Issuer or ClusterIssuer resource (this resource will be referenced later when installing Usage Engine Private Edition).

Refer to https://cert-manager.io/docs/configuration/ for a all the details.

It’s also possible to use an issuer specifiction that will issue a self-signed certificate:

Code Block
languageyaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: example-issuer
spec:
  selfSigned: {}

Note that this is only recommended for testing purposes and not in production.

Regardless of the chosen issuer specification, to create the issuer, simply put the specification in a yaml file (here we call it example-issuer.yaml), and then execute a command like this:

Code Block
languagebash
kubectl apply -f example-issuer.yaml

Based on the example above the created ClusterIssuer can be inspected like this:

Code Block
languagebash
kubectl get clusterissuers example-issuer -o yaml

...