Hi all,

I have downloaded and installed a certificate onto my cluster and have my console now being routed through https.

Steps:

All that worked fine and well. My question is, once I deploy core and manage, will cert manager automatically detect my certificate? Or are there additional steps that need to be done in order to make sure that the ingress injects all of my application's routes over https? I'm using Let's Encrypt and I know their certs expire after 90 days. I also know that cert manger can be figured so that they auto renew. 

The documentation is a little hazy since network config is not really my strong suit. Any guidance to keep me from reinventing the wheel would be greatly appreciated!

Thanks,

P.S. I downloaded certbot to my local machine to create the certs. Would it be best practice to ssh into the VM (We're using VMWare) and install certbot there instead?

------------------------------
Brett Coleman
------------------------------

Hi Brett,

I am going to assume that you have your cert-manager cluster issuer set up something like below.  In this example our instance is hosted on Azure and we have our DNS also managed by Azure. This allows the let's encrypt solver use our DNS to automatically validate our domain to issue certs.

Full documentation, including other solver strategies, for this is available here: https://cert-manager.io/docs/configuration/acme/

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: email@sharptree.io
    privateKeySecretRef:
      name: letsencrypt
    server: 'https://acme-v02.api.letsencrypt.org/directory'
    solvers:
      - dns01:
          azureDNS:
            clientID: [YOUR_CLIENT_ID_HERE]
            clientSecretSecretRef:
              key: client-secret
              name: azuredns-config [THIS_IS_THE_SECRET_NAME_WITH_YOUR_AZURE_SECRET]
            environment: AzurePublicCloud
            hostedZoneName: [PUBLIC_DOMAIN]
            resourceGroupName: [RESOURCE_GROUP_WHERE_DNS_IS_HOSTED]
            subscriptionID: [AZURE_SUBSCRIPTION_ID]
            tenantID: [AZURE_TENANT_ID]

Once you have your cluster issuer set up you just need to reference it in your Suite configuration with something like this below:

spec:
  certManagerNamespace: cert-manager <--This matches the namespace of my cluster issuer
  certificateIssuer:
    duration: 8760h0m0s
    name: letsencrypt <--This matches the name of my cluster issuer
    renewBefore: 720h0m0s
  domain: [MY_BASE_DOMAIN] <--This needs to fall under the domain that you specified in your cluster issuer configuration.

That will then automatically request certificates using that cluster issuer and that is all you need to do.  If you have an existing install you can also update the configuration after the fact and it will reissue with the correct certs.

If you have any specific questions feel free to reach out.

Jason

------------------------------
Jason VenHuizen
Sharptree
https://sharptree.io
https://opqo.io
------------------------------

Original Message:
Sent: Thu September 26, 2024 03:26 PM
From: Brett Coleman
Subject: Cerbot Certificates in MAS 9

Hi all,

I have downloaded and installed a certificate onto my cluster and have my console now being routed through https.

Steps:

1. Created a configmap based on issued certificate

2. Patched the openshift proxy to use the certificate

3. Created a secret based on the certificate

4. Patched the ingress controller to use the certificate

All that worked fine and well. My question is, once I deploy core and manage, will cert manager automatically detect my certificate? Or are there additional steps that need to be done in order to make sure that the ingress injects all of my application's routes over https? I'm using Let's Encrypt and I know their certs expire after 90 days. I also know that cert manger can be figured so that they auto renew. 

The documentation is a little hazy since network config is not really my strong suit. Any guidance to keep me from reinventing the wheel would be greatly appreciated!

Thanks,

P.S. I downloaded certbot to my local machine to create the certs. Would it be best practice to ssh into the VM (We're using VMWare) and install certbot there instead?

------------------------------
Brett Coleman
------------------------------

I have used Acme.sh with ZeroSSL for the same. Certbot should work if it does ACME DNS01 via cert-manager. Otherwise, use it the old fashioned way to manually get the certs and apply to MAS using the manual method (there's Ansible automation available for manual cert management). From the perspective of automating the whole thing, so you don't have to intervene every time the cert expires in three months, as Jason indicated below for Azure, there's also Cloudflare's automation available for Let's Encrypt certs via the cert-manager.

------------------------------
Arif Ali
------------------------------

Original Message:
Sent: Thu September 26, 2024 03:26 PM
From: Brett Coleman
Subject: Cerbot Certificates in MAS 9

Hi all,

I have downloaded and installed a certificate onto my cluster and have my console now being routed through https.

Steps:

1. Created a configmap based on issued certificate

2. Patched the openshift proxy to use the certificate

3. Created a secret based on the certificate

4. Patched the ingress controller to use the certificate

All that worked fine and well. My question is, once I deploy core and manage, will cert manager automatically detect my certificate? Or are there additional steps that need to be done in order to make sure that the ingress injects all of my application's routes over https? I'm using Let's Encrypt and I know their certs expire after 90 days. I also know that cert manger can be figured so that they auto renew. 

The documentation is a little hazy since network config is not really my strong suit. Any guidance to keep me from reinventing the wheel would be greatly appreciated!

Thanks,

P.S. I downloaded certbot to my local machine to create the certs. Would it be best practice to ssh into the VM (We're using VMWare) and install certbot there instead?

------------------------------
Brett Coleman
------------------------------

All,

In addition to the methods explained above, there are plenty of ways to integrate a Cert Manager Cluster Issuer (recommended) as long as it is supported with ACME DNS01. 

We have even used a company AD Certification Authority to issue these certs and they are all automatically issued by Cert Manager as long as we create a Cluster Issuer and reference it on the MAS Core Suite CRD as per above comment from Jason.

See my blog posts:

https://www.interlocsolutions.com/blog/mas-deployment-series-configuring-mas-certificates-using-a-local-ca-issuer

https://www.interlocsolutions.com/blog/mas-deployment-series-configuring-mas-certificates-using-lets-encrypt

We have also used a CloudFlare Origin Cluster Issuer (whose CRD "OriginClusterIssuer" is normally compatible but doesn't work with the MAS Core) for when we want CloudFlare to manage the actual Certificates the client sees so we can use CloudFlare for their rather strong protections for things like DDoS attacks and such (vs use CloudFlare in "DNS only" mode).

However, CloudFlare Origin certificates are rather an advanced topic and require workarounds at least until IBM supports their OriginClusterIssuer natively. We have been able to work around it with a non CloudFlare native implementation but will request IBM to consider the CloudFlare implementation in their Suite as an AHA Idea.

Thanks

Julio.

------------------------------
Julio Perera
Senior Maximo Technical Consultant
Interloc Solutions Inc., US.
------------------------------

Original Message:
Sent: Sat September 28, 2024 12:06 PM
From: Arif Ali
Subject: Cerbot Certificates in MAS 9

I have used Acme.sh with ZeroSSL for the same. Certbot should work if it does ACME DNS01 via cert-manager. Otherwise, use it the old fashioned way to manually get the certs and apply to MAS using the manual method (there's Ansible automation available for manual cert management). From the perspective of automating the whole thing, so you don't have to intervene every time the cert expires in three months, as Jason indicated below for Azure, there's also Cloudflare's automation available for Let's Encrypt certs via the cert-manager.

------------------------------
Arif Ali

Original Message:
Sent: Thu September 26, 2024 03:26 PM
From: Brett Coleman
Subject: Cerbot Certificates in MAS 9

Hi all,

I have downloaded and installed a certificate onto my cluster and have my console now being routed through https.

Steps:

1. Created a configmap based on issued certificate

2. Patched the openshift proxy to use the certificate

3. Created a secret based on the certificate

4. Patched the ingress controller to use the certificate

All that worked fine and well. My question is, once I deploy core and manage, will cert manager automatically detect my certificate? Or are there additional steps that need to be done in order to make sure that the ingress injects all of my application's routes over https? I'm using Let's Encrypt and I know their certs expire after 90 days. I also know that cert manger can be figured so that they auto renew. 

The documentation is a little hazy since network config is not really my strong suit. Any guidance to keep me from reinventing the wheel would be greatly appreciated!

Thanks,

P.S. I downloaded certbot to my local machine to create the certs. Would it be best practice to ssh into the VM (We're using VMWare) and install certbot there instead?

------------------------------
Brett Coleman
------------------------------