Cert-manager

The source code and default configuration of the Building Block is available in our GitLab.

Adding the Building Block

Add the directory syseleven-cert-manager to your control repository. Add a .gitlab-ci.yml to the directory with the following content:

include:
  - project: syseleven/building-blocks/helmfiles/cert-manager
    file: JobDevelopment.yaml
    ref: 4.0.0
  - project: syseleven/building-blocks/helmfiles/cert-manager
    file: JobStaging.yaml
    ref: 4.0.0
  - project: syseleven/building-blocks/helmfiles/cert-manager
    file: JobProduction.yaml
    ref: 4.0.0

Remove environments you are not using by removing their include.

Required configuration

Strictly speaking, no configuration is required to deploy this building block. But we strongly recommended configuring a ACME account email address. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails.

values-cert-manager-extension.yaml or values-cert-manager-extension-$ENVIRONMENT.yaml:

email: letsencrypt@example.org

Provision a TLS certificate for an ingress automatically

You need to add one of two annotations to your ingress and configure the TLS section:

Annotations

  • Add the annotation cert-manager.io/cluster-issuer: "letsencrypt-production" to get a valid certificate from Let's Encrypt.
  • Add the annotation cert-manager.io/cluster-issuer: "letsencrypt-staging" to get a certificate from Let’s Encrypts staging CA. This certificate will not be accepted by tooling and browsers. Use it only for testing purposes.

TLS section

Your ingress needs a spec.tls section. An example:

  tls:
  - hosts:
    - subdomain.example.com
    secretName: subdomain.example.com-tls

Notes:

  • You need to specify the secretName so that cert-manager knows where to save the certificate and the ingress-controller knows which certificate to use.

DNS challenge

If you use our SysEleven Stack DNSaaS, the relevant configuration for DNS challenges is already included by default.

To use the DNS challenge, add the following label to your Ingress/Certificate:

  • cert-manager.io/solver: dns01

Monitoring

Additional alertrules

  • None

Additional Grafana dashboards

  • None

Scale Setup

This building block consists of multiple components. Each of the components can and must be scaled individually.

  • Usually it is not needed to scale replicas unless you have an exessive amount of certificate requests
  • Requests/limits for CPU/memory can be adjusted