How do I install letsencrypt on my jelastic kubernetes cluster?

Question

I am trying to figure out how I best install SSL on my k8s cluster hosted on Jelastic. I found some nice hints here on how to get cert-manager working on a k8s cluster in general (irrespective of the host provider).

My concern is now that I am not 100% sure whether or not I need letsencrypt or if I could go with the default SSL installation. Looking at the bottom (last paragraph) of this README, I see that I must be able to install it on my cluster. From the Jelastic dashboard, it's not obvious at all that I can do so. The addons icon appears on the Workers and Storage nodes. And through that icon, in both cases, I see no letsencrypt addon.

What's the best practice here? How do I get that up and running? First, the nginx ingress controller installed by default does not meet our security requirements. Second, any subdomain we add to this Jelastic environment does not get provided with the necessary ssl certificates by default. How do I get around this?

You would need access to the `kubectl` command line tool. Does Jelastic provide you with credentials for that? — coderanger, Mar 05 '20 at 16:33
This functionality is still in development and is going to be added soon. — Virtuozzo, Mar 06 '20 at 08:17
Aha. Would do I do in the meantime with my production environment? What functionality are you talking about exactly? — Laurent Michel, Mar 06 '20 at 08:52
To be more precise, how do I e.g. activate ssl for my subdomains? — Laurent Michel, Mar 06 '20 at 08:54

score 1 · Accepted Answer · edited Mar 08 '20 at 15:27

Let me shed some light on SSLs. You are 100% right that there are at least two options of how SSLs can be handled in Jelastic's K8s.

Briefly:

1) Deploy SSLs to SLB (via API or via LE addon). LE addon + SLB combination is now available to Private Cloud customers only (support for Public Cloud is coming soon). In this way you can forward your requests to your K8s cluster from SLB using https2http termination (so your ingress controller will be listening http only).

2) Deploy SSL to K8s directly using certification manager. Latest version of K8s in Jelastic has support of this. To be able to use this method it is required to attach Public IPs on all worker nodes (as they have direct listeners of ingress controllers). In this case SSL certificate issuing will be triggered by an ingress rule where dedicated annotation is used. This method is recommended and considered as more secured. Your K8s cluster will accept direct connections on port 443, every exposed service may have dedicated ACME ingress for verification.

I will go for the second solution. In my k8s installation manifest, I'll install the jelastic kubernetes manifest, then attach ip to worker nodes, then install the cert-manager, in the very way it is explained in the link of my original post. Thanks for the advice! — Laurent Michel, Mar 12 '20 at 11:24
It doesn't work. Unfortunately, when I try to install [this manifest](https://github.com/jelastic-jps/kubernetes/blob/v1.16.6/manifest.jps) from the Jelastic dashboard, I get an error: "The tag is not allowed for current template. Please try again later or contact support for the assistance. Contact Us" I see no special error or warning the app console. What can I do then? — Laurent Michel, Mar 16 '20 at 08:08

How do I install letsencrypt on my jelastic kubernetes cluster?

1 Answers1