Install `letsencrypt-[staging|production]` ClusterIssuer only when required

enrichman commented 1 year ago

Fix #479

This PR avoid the installation of the letsencrypt-production when not needed. It will be created only when the tlsIssuer value is set. It also adds the staging issuer, and fixes a couple of wrong questions values during the Rancher installation.

thehejik commented 1 year ago

Test

Environment: RKE2 on EC2 with aws cloud provider installed, local-path storage provisioner, nginx-ingress-controller and a wildcard enabled public FQDN domain from zone managed by aws route53.

We always installed Epinio from this branch and then deployed a sample app - then verified all the endpoints (epinio, auth, app) if these are signed by corresponding TLS cert.

Incorporated `ClusterIssuer`s:

OK --set global.tlsIssuer=letsencrypt-staging --set global.tlsIssuerEmail=email@suse.com
OK --set global.tlsIssuer=letsencrypt-production --set global.tlsIssuerEmail=email@suse.com

Verified that either production or staging clusterIssuers are created only when requested by the helm flags above.

Custom/existing `ClusterIssuer`:

NOK --set global.customTlsIssuer=letsencrypt-production - we checked the custom issuer is not overwritten by the one from epinio and it works fine for epinio and auth endpoints but doesn't work for deployed application which always uses epinio-ca issuer instead. ->OK This issue has been verified/fixed via https://github.com/epinio/helm-charts/pull/496

Custom/existing `ClusterIssuer` support in questions.yaml in rancher verified and fixed

(add upstream epinio/helm-charts git repo, main branch into rancher. Enable Include Prerelease versions in Rancher and proceed with E installation)

OK New checkbox appeared and when checked the dropdown below changes to text inputfield where you can enter custom clusterIssuer name. The installed Epinio UI and DEX are signed by proper certificates as well as deployed application.

Note1: the used issuers can be verified in browser or by command k get certificaterequests.cert-manager.io -A command Note2: custom ClusterIssuer can be defined by something like:

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
  namespace: cert-manager
  annotations:
    customfield: my-custom-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: email@suse.com
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

enrichman commented 1 year ago

Note for the release notes:

Installation change: "Does not install the letsencrypt issuers by default any more".

Should also explain the various configurations (no issuer, issuer, custom issuer, special values) in the docs.

Added some more comments here: https://github.com/epinio/docs/pull/312

enrichman commented 1 year ago

@thehejik awesome! Thanks for the further check on Rancher. :cow2:

epinio / helm-charts