Certificate Manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

Plane

plane up datalayer-cert-manager
plane ls

Helm

cat << 'EOF' > /tmp/values.yaml
installCRDs: true
nodeSelector:
  role.datalayer.io/router: "true"
startupapicheck:
  nodeSelector:
    role.datalayer.io/router: "true"
cainjector:
  nodeSelector:
    role.datalayer.io/router: "true"
webhook:
  nodeSelector:
    role.datalayer.io/router: "true"
EOF
export RELEASE=datalayer-cert-manager
export NAMESPACE=datalayer-cert-manager
helm upgrade \
  --install $RELEASE \
  jetstack/cert-manager \
  --version v1.13.4 \
  --create-namespace \
  --namespace $NAMESPACE \
  --values /tmp/values.yaml \
  --timeout 5m
helm ls -A

Check the availability of the Cert Manager Pods.

kubectl get pods -n datalayer-cert-manager

Create the Production Certificate Issuer.

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # The ACME Production server URL.
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"
    # Email address used for ACME registration.
    email: info@datalayer.io
    # Name of a secret used to store the ACME account private key.
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
            class: nginx
EOF
kubectl describe clusterissuer letsencrypt

Optionally, create the Staging Certificate Issuer.

warning

Staging Certificates are not recognized by most browsers.

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # The ACME Staging server URL.
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"
    # Email address used for ACME registration.
    email: info@datalayer.io
    # Name of a secret used to store the ACME account private key.
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
            class: nginx
EOF
kubectl describe clusterissuer letsencrypt-staging

The issued certificates have a 3 months validity period. You should renew them manually with the following commands.

cmctl renew ${DATALAYER_RUN_HOST}-datalayer-api-cert-secret -n datalayer-api
cmctl status certificate ${DATALAYER_RUN_HOST}-datalayer-api-cert-secret -n datalayer-api

If needed, tear down.

Plane

kubectl delete clusterissuer letsencrypt
plane down datalayer-cert-manager

Helm

kubectl delete clusterissuer letsencrypt
export RELEASE=datalayer-cert-manager
export NAMESPACE=datalayer-cert-manager
helm delete $RELEASE --namespace $NAMESPACE