Quick question, in Rancher is it possible to use lets-encrypt to sign the k8s TLS certs (etcd, kub-api, etc). I have a compliance requirement to sign my k8s environment with a valid trusted CA chain?
Asked
Active
Viewed 488 times
1 Answers
1
Yes, it is actually one of the recommended options for the source of the certificate used for TLS termination at the Rancher server:
Let’s Encrypt: The Let’s Encrypt option also uses cert-manager. However, in this case, cert-manager is combined with a special Issuer for Let’s Encrypt that performs all actions (including request and validation) necessary for getting a Let’s Encrypt issued cert.
In the links below you will find a walkthrough showing how to:
This option uses cert-manager to automatically request and renew Let’s Encrypt certificates. This is a free service that provides you with a valid certificate as Let’s Encrypt is a trusted CA.
Please let me know if that helped.
Wytrzymały Wiktor
- 11,492
- 5
- 29
- 37
-
I have had trouble getting helm to install but that has been worked out. I plan to attempt the cert-install shortly and will let you know. – grimm-muncha Apr 09 '20 at 16:55
-
Ok, looks like I was able to install and setup cert-manager so your guide worked great. However it looks like it setup a rancher pod in the env (not sure what benefit that gives us?). I was hoping this will allow LetsEncrypt to create and sign certs the the k8s services such as etcd api and controlplane ports. Is this currently possible? Thanks again – grimm-muncha Apr 15 '20 at 00:34
-
If this helps, my implementation of Rancher server/k8s is running in docker containers. – grimm-muncha Apr 15 '20 at 00:56
-
@grimm-muncha I think it would be better to provide more details and ask that in a separate question. – Wytrzymały Wiktor Apr 15 '20 at 09:06