0

I would be using different subdomains for different services, but those services would reside in different K8S clusters. I would like to know if I can just copy the wildcard certificate across the clusters. Also, if there is a similar example somewhere please link me to it. Any help would be appreciated.

Shibu
  • 105
  • 1
  • 6

2 Answers2

0

So there is no native handling of multiple clusters in cert-manager.

That said, there is nothing to stop you copying across the resulting 'Secret' resource between clusters, either manually or automatically.

The 'kubed' project (by appscode) has support for syncing Secrets between clusters: https://github.com/appscode/kubed. Full information can be found on their website: https://appscode.com/products/kubed/0.8.0/guides/config-syncer/inter-cluster/

I hope this helps!

James Munnelly
  • 103
  • 4
  • Thanks, James for pointing out `kubed` project. Will give it a look and see if it satisfies our use case. – Shibu Jul 19 '18 at 17:29
0

i know, i am a bit late to the party but writing an answer might be helpful to someone

For wildcard cert DNS-01 method, auth is required. You can use any DNS as per use case or which ever you are using.

Note : You might require to first add the CAA record in your DNS.

CAA record can get added into DNS zone

example :

            Type       Value

devops.in   CAA       0 issuewild "letsencrypt.org"

get your records details from : https://sslmate.com/caa/

First we have to create the secret for storing the access key using the command

kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"

Here sharing the example issuer.yaml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: test123@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsZones:
          - "devops.in"
      dns01:
        route53:
          region: us-east-1
          hostedZoneID: Z2152140EXAMPLE
          accessKeyID: AKIA5A5D7EXAMPLE
          secretAccessKeySecretRef:
            name: route53-secret
            key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: le-crt
spec:
  secretName: tls-secret
  issuerRef: 
    kind: Issuer
    name: letsencrypt-prod
  commonName: "*.devops.in"
  dnsNames:
    - "*.devops.in"

Also make sure your user have necesarry permission to manage the Route53

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ChangeResourceRecordSets",
      "Resource": "arn:aws:route53:::hostedzone/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}
Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102