From 3c6cfeed030ab5eb75a1f6b0aa988458b34ec89f Mon Sep 17 00:00:00 2001
From: Dominik Chilla <dominik@zwackl.de>
Date: Thu, 24 Sep 2020 15:54:41 +0200
Subject: [PATCH] cert manager take 2

---
 README.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 86 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a3c7056..1ff32bc 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,10 @@
   * [Deploy my-nginx-service](#deploy-my-nginx-service)
   * [Stick the nginx-ingress controler and my-nginx app together](#stick-nginx-ingress-and-tcp-service)
   * [Test exposed app on TCP-port 9000](#test-nginx-ingress-and-tcp-service)
+* [Cert-Manager (references ingress controller)](#cert-manager)
+  * [Installation](#cert-manager-install)
+  * [Let´s Encrypt issuer](#cert-manager-le-issuer)
+  * [Troubleshooting](#cert-manager-troubleshooting)
 * [Running DaemonSets on `hostPort`](#running-daemonsets)
 * [HELM charts](#helm)
   * [Create a chart](#helm-create)
@@ -61,7 +65,6 @@ metadata:
   name: devel
   labels:
     name: devel
-
 ---
 apiVersion: v1
 kind: LimitRange
@@ -142,7 +145,7 @@ spec:
       cpu: 50m
       memory: 4Mi
     min:
-      cpu: 50m
+      cpu: 10m
       memory: 4Mi
     type: Container
 ```
@@ -391,6 +394,87 @@ kubectl logs my-nginx-65c68bbcdf-xkhqj -f
 [...]
 ```
 
+# Cert-Manager (references ingress controller) <a name="cert-manager"></a>
+## Installation <a name="cert-manager-install"></a>
+Docs: https://hub.helm.sh/charts/jetstack/cert-manager
+```
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.2/cert-manager.crds.yaml
+kubectl create namespace cert-manager
+helm install cert-manager --namespace cert-manager jetstack/cert-manager
+kubectl -n cert-manager get all
+```
+## Let´s Encrypt issuer <a name="cert-manager-le-issuer"></a>
+Docs: https://cert-manager.io/docs/tutorials/acme/ingress/#step-6-configure-let-s-encrypt-issuer
+```
+ClusterIssuers are a resource type similar to Issuers. They are specified in exactly the same way, 
+but they do not belong to a single namespace and can be referenced by Certificate resources from 
+multiple different namespaces.
+```
+
+lets-encrypt-cluster-issuers.yaml
+```
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging-issuer
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: user@example.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-staging-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod-issuer
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: user@example.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+```
+
+## Troubleshooting <a name="cert-manager-troubleshooting"></a>
+ClusterIssuer runs in default namespace:
+```
+kubectl get clusterissuer
+kubectl describe clusterissuer <object>
+```
+All other ingres-specific cert-manager resources are running <stage> specific namespaces: 
+```
+kubectl -n <stage> get certificaterequest
+kubectl -n <stage> describe certificaterequest <object>
+kubectl -n <stage> get certificate
+kubectl -n <stage> describe certificate <object>
+kubectl -n <stage> get secret
+kubectl -n <stage> describe secret <object>
+kubectl -n <stage> get challenge
+kubectl -n <stage> describe challenge <object>
+```
+
+After successfull setup perform a TLS-test: `https://www.ssllabs.com/ssltest/index.html`
+
 # Running DaemonSets on `hostPort` <a name="running-daemonsets"></a>
 * Docs: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
 * Good article: https://medium.com/stakater/k8s-deployments-vs-statefulsets-vs-daemonsets-60582f0c62d4