Alternative letsencrypt challenges and custom provided tls certificates

deployment-configuration/helm/templates/certs/letsencrypt.yaml

@@ -1,16 +1,32 @@
-{{- if and (not .Values.local) (not (not .Values.tls)) }}
+{{- $le := .Values.ingress.letsencrypt }}
+{{- if and (not .Values.local) (not (not .Values.tls)) (ne $le.enabled false) }}
+{{- range $name, $data := $le.secrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $name }}
+  namespace: {{ $.Values.namespace }}
+type: Opaque
+stringData:
+{{ toYaml $data | indent 2 }}
+---
+{{- end }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ printf "%s-%s" "letsencrypt" .Values.namespace }}
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
-    email:  {{ .Values.ingress.letsencrypt.email }}
+    email:  {{ $le.email }}
     privateKeySecretRef:
-      name: tls-secret-issuer
+      name: {{ $le.privateKeySecretName | default "tls-secret-issuer" }}
     solvers:
+{{- if $le.solvers }}
+{{ toYaml $le.solvers | indent 4 }}
+{{- else }}
     - http01:
         ingress:
           class: {{ .Values.ingress.ingressClass }}
+{{- end }}
 {{ end }}

deployment-configuration/helm/templates/httproute.yaml

@@ -88,7 +88,7 @@ apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
   name: {{ .Values.ingress.name | quote }}
-  {{- if and (not .Values.local) $tls }}
+  {{- if and (not .Values.local) $tls (ne .Values.ingress.letsencrypt.enabled false) }}
   annotations:
     cert-manager.io/issuer: {{ printf "%s-%s" "letsencrypt" .Values.namespace }}
   {{- end }}

deployment-configuration/helm/templates/ingress.yaml

@@ -70,7 +70,7 @@ metadata:
   name: {{ $appIngressName | quote }}
   annotations:
     kubernetes.io/ingress.class: {{ $.Values.ingress.ingressClass }} # Deprecated by Kubernetes, however still required for GKE
-    {{- if and (not $.Values.local) $tls }}
+    {{- if and (not $.Values.local) $tls (ne $.Values.ingress.letsencrypt.enabled false) }}
     kubernetes.io/tls-acme: 'true'
     cert-manager.io/issuer: {{ printf "%s-%s" "letsencrypt" $.Values.namespace }}
     {{- end }}
@@ -152,7 +152,7 @@ metadata:
   name: {{ printf "%s-proxy" $appIngressName | quote }}
   annotations:
     kubernetes.io/ingress.class: {{ $.Values.ingress.ingressClass }} # Deprecated by Kubernetes, however still required for GKE
-    {{- if and (not $.Values.local) $tls }}
+    {{- if and (not $.Values.local) $tls (ne $.Values.ingress.letsencrypt.enabled false) }}
     kubernetes.io/tls-acme: 'true'
     cert-manager.io/issuer: {{ printf "%s-%s" "letsencrypt" $.Values.namespace }}
     {{- end }}

deployment-configuration/helm/templates/tls-secret.yaml

@@ -1,17 +1,25 @@
-{{- if and .Values.local .Values.tls }}
+{{- $byoMode := or .Values.local (eq .Values.ingress.letsencrypt.enabled false) }}
+{{- if and .Values.tls $byoMode }}
+{{- $certs := default (dict) .Values.ingress.tls.certs }}
+{{- $sharedCrt := $.Files.Get "resources/certs/tls.crt" }}
+{{- $sharedKey := $.Files.Get "resources/certs/tls.key" }}
 {{- range $app := .Values.apps }}
   {{- if or $app.harness.subdomain $app.harness.domain $app.harness.aliases }}
     {{- $appIngressName := default $app.harness.name $app.harness.service.name }}
+    {{- $perApp := default (dict) (index $certs $appIngressName) }}
+    {{- $crt := default $sharedCrt $perApp.crt }}
+    {{- $key := default $sharedKey $perApp.key }}
+    {{- if and $crt $key }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ printf "tls-secret-%s" $appIngressName }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ $.Files.Get "resources/certs/tls.crt" | b64enc | quote }}
-  tls.key: {{ $.Files.Get "resources/certs/tls.key" | b64enc | quote }}
+  tls.crt: {{ $crt | b64enc | quote }}
+  tls.key: {{ $key | b64enc | quote }}
 ---
+    {{- end }}
   {{- end }}
 {{- end }}
 {{- end }}
-

deployment-configuration/helm/values.yaml

@@ -42,8 +42,53 @@ ingress:
   # -- Enables/disables SSL redirect.
   ssl_redirect: true
   letsencrypt:
+    # -- Whether to provision a cert-manager ACME Issuer for Let's Encrypt. Set to
+    # false to use externally provided TLS certificates (e.g. ACM/ALB, commercial
+    # wildcard, internal CA, air-gapped) — the per-app `tls-secret-<name>` Secrets
+    # must then exist in the namespace.
+    enabled: true
     # -- Email for letsencrypt.
     email: cloudharness@metacell.us
+    # -- Name of the Secret cert-manager uses to store the ACME account private key.
+    privateKeySecretName: tls-secret-issuer
+    # -- ACME solvers passed through to the cert-manager Issuer. If empty, defaults to
+    # an http01 solver using `ingress.ingressClass`. Override with one or more dns01
+    # solvers to obtain certificates for non-public domains. See `secrets` below to
+    # declare any credential Secrets referenced by `*SecretRef` here.
+    # Example (Cloudflare):
+    #   solvers:
+    #     - dns01:
+    #         cloudflare:
+    #           apiTokenSecretRef:
+    #             name: cloudflare-api-token
+    #             key: api-token
+    solvers: []
+    # -- Credential Secrets created in the namespace alongside the Issuer. Each entry
+    # becomes a Kubernetes Secret named after the key, with the inner map rendered as
+    # `stringData`. Reference these from `solvers` above. Leave empty if you create
+    # provider credential secrets out-of-band (e.g. with sealed-secrets / external
+    # secrets / `kubectl create secret`).
+    # Example:
+    #   secrets:
+    #     cloudflare-api-token:
+    #       api-token: ${CLOUDFLARE_API_TOKEN}
+    secrets: {}
+  # -- BYO TLS certificates (used when `letsencrypt.enabled` is false, or for local
+  # deployments). Two paths, used together:
+  #   1. File-based shared cert: drop PEM at `resources/certs/tls.crt|key` and it is
+  #      applied to every app that needs TLS.
+  #   2. Per-app overrides: `tls.certs.<appName>.{crt,key}` (PEM strings) materialize
+  #      a `tls-secret-<appName>` of type `kubernetes.io/tls` and override the
+  #      file-based shared cert for that app.
+  # Use `${VAR}` interpolation to keep raw PEM out of committed values files.
+  tls:
+    # -- Map of `<appName>` to `{crt, key}` PEM strings.
+    # Example:
+    #   certs:
+    #     myapp:
+    #       crt: ${MYAPP_TLS_CRT}
+    #       key: ${MYAPP_TLS_KEY}
+    certs: {}
   # -- Default regex segment for routes (used in paths like '/(pattern)').
   path: "/"
   # -- The pathType for the Ingress path. Default is Prefix. For regex paths, set to ImplementationSpecific

docs/README.md

@@ -26,6 +26,7 @@
   - [Send errors to Sentry](./sentry.md)
   - [Use the events queue to send notifications](./notifications.md)
   - [Network policies](./network-policies.md)
+  - [Ingress, domains, proxies and TLS](./ingress-domains-proxies.md)
 - [Writing and running automated tests](./testing.md)
 - [Tutorial: Writing a simple webapp with cloud-harness](./tutorials/simple-date-clock-application.adoc)