This page describes how to enable TLS using Cert-manager and Let's Encrypt tools.
TLS is a protocol for the secure transmission of data based on SSLv3. It offers confidentiality, integrity, and authentication (explanation).
Here we will explain how to enable TLS on FADI services.
Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge (ref).
We will use it to get certificates from a known certificate authority.
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
It will be used to provide certificates to FADI services.
The first step is to enable cert-manager in the values.yaml
file:
cert-manager:
enabled: true
installCRDs: true
If FADI is already deployed (refer here for the installation), type:
helm upgrade fadi <fadi_folder>
else:
helm install fadi <fadi_folder>
It is important to deploy Cert-Manager at this step, the next step will not work otherwise.
This step will create a ClusterIssuer
object wich will get certificates from Let's Encrypt service.
In the values.yaml file, set these values:
clusterIssuer:
enabled: true
prod: false
email: <your e-mail address>
Before upgrading your FADI deployment, you must choose the services on which you want to enable TLS. To do this, under each application section of the values.yaml
file, navigate to the ingressTraefik
part and enable TLS. For the Grafana example:
traefikIngress:
enabled: true
tls: true
host: grafana.test.local
Then, type the following command to upgrade FADI:
helm upgrade fadi <fadi_folder>
Let's suppose that you have created TLS for Grafana, if you type in your browser http://grafana.example.cetic.be, your will get an error. You have to type https://grafana.example.cetic.be to access Grafana in the secure mode.
Now, if you check carefully, you will see that it looks like your connection is not secure. You may even receive a warning message before accessing your app's UI.
That is because the default enabled Let' Encrypt service is a staging service. Staging certificates are valid but not trusted by browsers. It is a good practice to use the staging environment while you are setting up your integration to avoid hitting Let’s Encrypt’s stringent production rate limits.
Once you have successfully acquired a staging certificate, you can migrate to the Let’s Encrypt production servers. (All this third part of documentation has been copied from this site).
First, you have to delete the old ClusterIssuer, Certificates and Secrets. To get them, type:
$ kubectl get clusterissuer
NAME READY AGE
fadi-letsencrypt True 83m
$ kubectl get certificate
NAME READY SECRET AGE
grafana.example.cetic.be True grafana.example.cetic.be 83m
$ kubectl get secret
NAME TYPE DATA AGE
grafana.example.cetic.be kubernetes.io/tls 2 83m
To delete them, type
kubectl delete <resource type> <resource name>
Then, enable the production service of Let's Encrypt. To do that, go to the values.yaml
file under clusterIssuer
section and set prod
to true
:
clusterIssuer:
enabled: true
prod: true
Finaly, upgrade your FADI deployment :
helm upgrade fadi <fadi_folder>