Feature Request: Allow configuration of custom certificate and LetsEncrypt via Addon

[cjohn001]

Hello @guangbochen
I have seen that the yaml installs cert-manager. In the README you are writing that the cluster uses a self signed cert. Is it also possible to configure cert-manager to use lets-encrypt with this chart? And in case, are you aware of a description how to do it?

Thanks for your help!

Best regards
Christoph

[cjohn001]

@guangbochen
addon works by pressing a single button, great!. It would be perfect if you could add an additional explanation on how to replace the initial certificate with a self signed one. I see 3 different certificates in the local cluster and are not sure if I can change them without breaking things, and which one is responsible for what kind of feature. Looks like the certs are CA certs, hence they hold both, private and a public signature and need to be generated as ca certificate? Which format is required for it and how could I create a self signed one?

I have also seen that the chart already installs certmanager. Is their an easy way to use letsencrypt together with the plugin? Would be great if you could provide a description on how this could be done. Thanks for the great addon!

[ER-EPR]

@cjohn001
According to the rancher documentation.
https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options
You can change the following three settings to obtain a letsencrypt SSL.

Option	Default Value	Description
ingress.tls.source	"rancher"	string - Where to get the cert for the ingress. - "rancher, letsEncrypt, secret"
letsEncrypt.email	" "	string - Your email address
letsEncrypt.environment	"production"	string - Valid options: "staging, production"

To apply those settings you need to edit the addon config yaml, by click the three dot to the right of the rancher-vcluster addon, and click the edit yaml. Scroll to the bottom you will see configurations for rancher, which you can change them to something like the following: (for "letsEncrypt.environment: production" you may test "letsEncrypt.environment: staging" first)

       ---
        apiVersion: helm.cattle.io/v1
        kind: HelmChart
        metadata:
          name: rancher
          namespace: kube-system
        spec:
          targetNamespace: cattle-system
          repo: https://releases.rancher.com/server-charts/stable/
          chart: rancher
          version: {{ .Values.rancherVersion }}
          set:
            ingress.tls.source: letsencrypt
            letsEncrypt.email: "[email protected]"
            letsEncrypt.environment: production
            hostname: {{ .Values.hostname }}
            replicas: 1
            global.cattle.psp.enabled: "false"
            bootstrapPassword: {{ .Values.bootstrapPassword }}
          helmVersion: v3

[cjohn001]

Hello @ER-EPR ,
thank you very much for taking the time to looking at it. I added the attributes as you defined. Unfortunately, it does not seem to work, no new certificate is issued. In the docs their are descriptions on additional steps required when changing from a custom ca to a public one. Unfortunately, the docs lack a description of what needs to be done in case of switching to letsencrypt.

https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/update-rancher-certificate

Do you know what further steps need to be done? I feel not comfortable by simply deleting the old certificate and hoping that this triggers a renewal.

[ER-EPR]

Do you know what further steps need to be done? I feel not comfortable by simply deleting the old certificate and hoping that this triggers a renewal.

@cjohn001 Hi,
I disable the addon and delete the 5GB vcluster Volume from harvester, and reinstall it.
I'm not sure about the update process. But you should at least provide your update log, or your current vcluster-rancher yaml, or your certificates, issuers, cluster issuers under cert-manager namespace. It should be either the update never happen to rancher, or the certificate signed by rancher private CA hasn't expired yet so it doesn't trigger a renew.
Or maybe it's is a mis spell in my script, I don't have environment to test it. for example perhaps "ingress.tls.source: letsencrypt" should be "letsEncrypt" with a capital E same as the Doc.

[cjohn001]

@ER-EPR Hello,
thanks for the directions. I finally ended up doing it in the same way. Disable plugin, remove volume and reinstall with letsEncrypt settings. Than things work as expected. I will leave the issue open, as I think it would be a nice feature for the addon, to be able to configure letsencrypt, and a custom certificate via the addon.

[iosifnicolae2]

@cjohn001 - this might help you: #7

[miztroh]

What about using certs from private CAs? I've tried adding attributes to the vcluster YAML and nothing seems to work. Can anyone point me in the right direction or link to some documentation? The general Rancher docs for this don't seem apply to a Harvester vcluster deployment. Thanks!