External PKI
Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of public certificate authority chains or deploying openDesk into a local cluster without ACME challenge.
Configuration
There are two options to address the use case.
Option 1: Bring Your Own Certificate
This option is useful, when you have your own PKI in your environment which is trusted by all clients that should access openDesk.
Disable cert-manager.io certificate resource creation:
certificates: enabled: false
Enable mount of self-signed certificates:
certificate: selfSigned: true
Create a Kubernetes secret named
opendesk-certificates-tls
of typekubernetes.io/tls
containing either a valid wildcard certificate or a certificate with all required subdomains set as SANs (Subject Alternative Name).Create a Kubernetes secret with name
opendesk-certificates-ca-tls
of typekubernetes.io/tls
containing the custom CA certificate as X.509 encoded (ca.crt
) and as jks trust store (truststore.jks
).Create a Kubernetes secret with name
opendesk-certificates-keystore-jks
with keypassword
and as value the jks trust store password.
Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
This option is useful, when you do not have a trusted certificate available and can’t fetch a certificate from Let’s Encrypt. It will result in a cert-manager managed root certificate in the namespace you deploy openDesk into.
Create self-signed cert-manager.io Cluster Issuer:
apiVersion: "cert-manager.io/v1" kind: "ClusterIssuer" metadata: name: "selfsigned-issuer" spec: selfSigned: {}
Enable mount and creation of self-signed certificates:
certificate: issuerRef: name: "selfsigned-issuer" selfSigned: true
Option 2b: Use cert-manager.io with pre-defined/shared root-certificate
Use this approach if you like to use a pre-created CA root certificate that can be "shared" (as copy) between multiple namespaces in a cluster.
Create self-signed cert-manager.io Cluster Issuer root certificate the same was as in Option 2a.
Create the root certificate for the previously created CA, in the example it is placed into the namespace
cert-manager
.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: opendesk-root namespace: cert-manager spec: isCA: true commonName: opendesk.eu secretName: opendesk-root-cert-secret subject: organizations: [ "openDesk cluster root certificate organization" ] privateKey: algorithm: ECDSA size: 256 issuerRef: name: selfsigned-issuer kind: ClusterIssuer group: cert-manager.io
Copy this cert's secret into the/each namespace you want to make use of the cert.
Create issuer in the/each namespace you want to make use of the cert.
The latter two steps are part of the env-start:
section within .gitlab-ci.yml
.