mr-rooftop
commented
4 years ago Yes this would be very interesting. I'm currently trying out the versions that were current at the time that their talk came out (approx. November 2018).
Open willthewizard opened 5 years ago
mr-rooftop
commented
4 years ago Yes this would be very interesting. I'm currently trying out the versions that were current at the time that their talk came out (approx. November 2018).
mr-rooftop
commented
4 years ago Hi @willthewizard ! The configuration that worked me was the following:
Hyperledger Fabric 1.3.0 Kubernetes 1.15 Helm 2.11.0 and Helm 3.0.2 Cert-manager 0.12
Cert-manager was by far the biggest obstacle. First, you need to add the jetstack repo (cert-manager is developed by jetstack) helm repo add jetstack https://charts.jetstack.io and update it helm repo update and then apply the custom resources for your cert-manager version (we use 0.12) with kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml.
Then install cert-manager with helm install cert-manager --namespace cert-manager --version v0.12.0 jetstack/cert-manager. As the files certManagerCI_staging.yaml and certManagerCI_production.yaml in the extra/ folder are outdated for this version of cert-manager and letsencrypt, you got to update it similar to this:
staging
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: happyledger@hotmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginxproduction
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: happyledger@hotmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginxMake sure to change the email to your own (or a different one, it matters only for certificate renewals in the future and rate limits of letsencrypt).
As described in the README, by kubectl apply -f certManagerCI_staging.yaml and kubectl apply -f certManagerCI_production.yaml you create 2 ClusterIssuer resources. Check if they are ready with kubectl get clusterIssuer -A.
What I didn't know at first that you really need to have a domain name registered that points to the external IP of the LoadBalancer that was created by the nginx ingress controller. You can find this IP with kubectl get service -A, there should be an external IP listed. Point your domain to this IP, and don't proceed until the domain name actually resolves to your cluster (takes approx. 1 hour).
Then you have to update the ingress section in the ca.yaml in helm_values/ like that:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
path: /
hosts:
# TODO: Change this to your Domain Name
- ca.yourdomain.com
tls:
- secretName: ca--tls
hosts:
# TODO: Change this to your Domain Name
- ca.yourdomain.comNote that the cert-manager.io/cluster-issuer: letsencrypt-prod line is different than in the tutorial, we use the current version for the cert-manager ressource description. Change the domain to your domain that points to your cluster. Once you installed it, https://ca.yourdomain.com/cainfo should give you back some nice json!
Hi There we keep running into different issues regards to tls and ca https control, may i know what's the version of the nignx-ingress, helm, k8s, and cert-manager that you had success with?