LetsEncrypt DNS-01 challenge type

rancher / rancher

Complete container management platform

http://rancher.com

Apache License 2.0

23.42k stars 2.97k forks source link

LetsEncrypt DNS-01 challenge type #26850

Open Just-Insane opened 4 years ago

Just-Insane commented 4 years ago

What kind of request is this (question/bug/enhancement/feature request): Feature Request

It would be nice to have support for DNS-01 challenge requests for LetsEncrypt during Rancher install.

Use Case:

1) Security - Would not have to expose Rancher to the internet directly in order to get a valid certificate, this increases overall security and limits the attack surface.

2) Security - Using wildcard certificates obscures the names of (potentially) internal services from showing up in certificate transparency logs, which is mostly security through obscurity, but could be useful in some cases.

3) Convenience - DNS-01 is more convenient to use since it doesn't require changing firewall rules, something which can be an issue for businesses.

Alternatively, provide documentation on changing cert-manager and rancher to use a certificate from DNS-01 issuer.

gz#13082

bashofmann commented 4 years ago

One way to do this already now:

Set ingress.tls.source to secret
Create a certificate and issuer manually that store the certificates in a secret tls-rancher-ingress in the cattle-system namespace

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: tls-rancher-ingress
  namespace: cattle-system
spec:
  secretName: tls-rancher-ingress
  commonName: rancher.example.com
  dnsNames:
  - rancher.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: mail@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - dns01:
          digitalocean:
            tokenSecretRef:
              key: access-token
              name: digitalocean-credentials-secret
---
apiVersion: v1
data:
  access-token: <base64 encoded token>
kind: Secret
metadata:
  name: digitalocean-credentials-secret
  namespace: cert-manager
type: Opaque

Just-Insane commented 4 years ago

Will this automatically renew the certificate using very-manager?

bashofmann commented 4 years ago

Yes, cert-manager will handle the renewal.

amagura commented 2 years ago

So...is this supported now?

weeix commented 2 years ago

In the case that you already have cert-manager and a working DNS-01 ClusterIssuer, --set ingress.extraAnnotations.cert-manager\.io/cluster-issuer=yourClusterIssuerName works fine (at least for me):

helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname=rancher.example.com \
  --set bootstrapPassword=admin \
  --set ingress.tls.source=secret \
  --set ingress.extraAnnotations.cert-manager\.io/cluster-issuer=yourClusterIssuerName

Aaron-ML commented 2 years ago

In the case that you already have cert-manager and a working DNS-01 ClusterIssuer, --set ingress.extraAnnotations.cert-manager\.io/cluster-issuer=yourClusterIssuerName works fine (at least for me):
helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname=rancher.example.com \
  --set bootstrapPassword=admin \
  --set ingress.tls.source=secret \
  --set ingress.extraAnnotations.cert-manager\.io/cluster-issuer=yourClusterIssuerName

This works, though maybe it should be documented or even better be flagged out from secret in the chart.

davidhrbac commented 2 years ago

Make sure to set ingress parameter with quotation marks like --set ingress.extraAnnotations.'cert-manager\.io/cluster-issuer'=issuer-name

See https://rancher.com/docs/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/#customizing-your-ingress