We will need a signed wildcard TLS Certificate for proper function of all platform features. If you have the ability to issue your own signed certificate for a domain you control, please feel free to use it. Otherwise, we provide pre-issued certificates you can use for the workshop, and these instructions will describe how to use them.
VMware employees can access the Domains and Certificates Spreadsheet to reserve a domain. Enter your name in Column D for the domain you want to use for your workshop.
- Fetch the external IP address of the contour ingress:
kubectl get service envoy -n tanzu-system-ingressYou should see output similar to the following:
$ kubectl get service envoy -n tanzu-system-ingress
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
envoy LoadBalancer 10.0.73.9 4.151.25.22 80:31334/TCP,443:31095/TCP 5d19hTake the value in the "External-IP" column, and enter it into Column E of the worksheet for your domain. Let the instructor know that you've entered it, so that they can update the DNS record.
Create a certificates directory:
mkdir $WORKSHOP_ROOT/certificatesGo to the spreadsheet, and download the certificate (fullchain.pem) and the private key (privkey.pem) in columns B and C for your domain. Copy these 2 files into the certificates directory you created.
Tip: If you don't have access to the excel and you want to use self-signed certificates with your own domain, you can run the following command (replace my.example.com with your real domain):
openssl req -x509 -nodes -newkey rsa:2048 -keyout workshopx-privkey.pen -out fullchain.pem -days 365 -subj "/CN=*.my.example.comNow, let's create a secret for this certificate that can be installed onto our cluster. Be sure to replace the filenames in this command with the filenames of your certificate files.
cd $WORKSHOP_ROOT/certificates
chmod 600 workshopx-privkey.pem
kubectl create secret tls tls -n contour-tls --cert=workshopx-fullchain.pem --key=workshopx-privkey.pem --dry-run=client -o yaml > $WORKSHOP_ROOT/enc/certificate.yamlThis certificate file has sensitive private key data, so we need to encrypt it before adding it to our cluster's GitOps repo.
cd $WORKSHOP_ROOT/enc
export SOPS_AGE_RECIPIENTS=$(age-keygen -y key.txt)
sops --encrypt certificate.yaml > certificate.sops.yamlLet's create a general folder in our GitOps repo for Kubernetes resources that we want to sync to our workshop cluster, and copy our SOPS-encrypted certificate secret there.
cd $WORKSHOP_ROOT
mkdir workshop-clusters/clusters/workshop/cluster-config/config/general
mv enc/certificate.sops.yaml workshop-clusters/clusters/workshop/cluster-config/config/generalWe will copy some additional resources we want to deploy into this general folder: the namespace where our certificate secret will live, and a TlsCertificateDelegation resource that instructs Contour to use this wildcard certificate to terminate HTTPS requests to the TAP cluster:
cp tap-gitops-workshop/templates/ingress/* workshop-clusters/clusters/workshop/cluster-config/config/generalUpdate your $WORKSHOP_ROOT/workshop-clusters/clusters/workshop/cluster-config/values/tap-values.yaml file:
- Set the
shared.ingress_domainfield to your wildcard domain. - Update your
cnrsconfiguration so that your workloads will be assigned a DNS name inside the wildcard domain. - Point
tap_guiat the TLS certificate we installed.
shared:
ingress_domain: workshop999.tap-pilot.com # change this to your domain
cnrs:
default_tls_secret: contour-tls/tls
domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}" # this is a go-template
tap_gui:
tls:
namespace: contour-tls
secretName: tlsLet's commit the changes to our GitOps repo, causing them to sync to our cluster.
cd $WORKSHOP_ROOT/workshop-clusters
git add . && git commit -m "Add TLS Ingress"
git push -u origin mainIf you don't want to wait for the sync polling interval, you can trigger the sync directly using:
kctrl app kick -n tanzu-sync -a sync --yesFrom your browser, navigate to https://tap-gui.<ingress_domain> and verify you can see the TAP GUI.