Certificates
This page describes the two ways provided by the h8lio platform to manage the TLS certificates to secure your ingress routes (https scheme) using:
Traefik
Traefik integrates the TLS certificates management and we are providing a default
certificate resolver using LetsEncrypt HTTP-01 Challenge which can be be used in your routes.
🟢 Pros:
- Simplest solution to secure your routes as it is transparently managed by the Traefik Proxy and the provided
default
certificate resolver.
🔴 Cons:
- No much control of your certificates as they are internally managed by Traefik using our
default
certificate resolver - Risk to reached the LetsEncrypt rates limits if you create lot of routes at once or if your route configuration is wrong and the LetsEncrypt challenge fails several times (see Best Practices)
- the LetsEncrypt HTTP-01 challenge doesn’t allow wildcard certificates
Usage
Here is an example how to use the default
certificate resolver within a Traefik IngressRoute.
This example also shows you how to redirect the HTTP trafic to the HTTPS entry point using a Middleware:
That’s it! Traefik is doing all the certificate generation and renewal processes internally.
the API Group will be changed in Traefik 3+ from
traefik.containo.us/v1alpha1
totraefik.io/v1alpha1
. You may start to use the new group but pay attention to theCustomResourceDefinition
when you retrieve your resources (twoIngressRoute
definitions).
Best practices
To facilitate the TLS challenge and avoid the LetsEncrypt rate limits you should follow the following recommendations:
- (required) The backend service has to be up and running and able to answer the LetsEncrypt challenge with a 200 http status response code before to deploy the secured route (you could check your service is running by using
kubectl port-forward service...
). - (mandatory) If you are using your own domain, make sure the routes are redirected to edge.h8l.io (CNAME record to edge.h8l.io or A record to the load balanced IP of edge.h8l.io) and the DNS propagation has been done (LetsEncrypt could perform the HTTP-01 challenge from the US)
- If your route rules are complex, you can help Traefik to resolve the hosts to challenge by specifying the tls domains
- You can group your routes in a single
IngressRoute
and/or in a singlematch:
withHost(`a.b.com`,...,`c.b.com`)
to help Traefik to resolve the hosts and limit the number of challenge and
Cert-Manager
The h8lio integrates cert-manager to manage your certificates. It allows to get more control of your certificates and share them with multiple Kubernetes resources.
The cert-manager h8lio integration is quite recent (
alpha
stage). Every feedback are welcome.
🟢 Pros:
- Finely manage your certificates
- Provide your own certificate issuers or self-signed certificates
- Possibility to use the cert-manager command line tool
- Allow wildcard certificate management using the LetsEncrypt DNS-01 challenge and avoid the LetsEncrypt rate limits if you have a lot of secured routes to create (in case of migration for example)
- Easy integration within your Traefik
IngressRoutes
🔴 Cons:
- More complex to use compare to the integrated Traefik certificate resolver
- You become the manager of your certificates
- External management of the DNS-O1 Challenge Provider
For now, we deployed only the OVH Challenge Provider, if you need another supported provider or add your own provider let us know by opening a ticket or by emailed us at hello@h8l.io.
Usage
The following example shows how to create and use a wildcard certificate using cert-manager and LetsEncrypt DNS-O1 challenge on a OVH managed domain.
- Create a secret holding the OVH API credentials in the cluster where you want to use the certificate:
replace the
<...>
by the value of your choice
you can use sealed-secret if you want to securely store the secret outside of the h8lio Kubernetes Cluster (example, in a Git repository)
- Create your cert-manager
Issuer
using LetsEncrypt and the OVH challenge provider:
Once the Issuer
manifest has been applied to your cluster. You can check the events and status:
of the cert-manager.io/v1
Issuer
CustomResourceDefinition
to validate its configuration and its readiness.
It should look like:
- Create the cert-manager
Certificate
’s secret using the previousIssuer
which will be used in theIngressRoutes
Once the Certificate
manifest has been applied to your cluster. You can check the events and status:
of the cert-manager.io/v1
Certificate
CustomResourceDefinition
to validate its configuration and its readiness.
This operation could take few seconds while cert-manager is internally managing the creation of all the resources involved in the DNS-01 challenge process to create the secret containing the new Certificate. It should look like:
If the certificate generation process is successful, you should see your ovh-<domain>-cert
secret with the two tls file entries:
- Use your certificate secret in your Traefik
IngressRoutes
(as many times you need):
No LetsEncrypt challenge is done by Traefik when you deploy this secured route as it has already been done and managed by the cert-manager (avoiding also the LetsEncrypt Rate Limits).
*.namespace.h8l.io certificates
If not already present, you may want to create an h8lio-tls
secret holding the certificate for the routes *.[domain-cluster].h8l.io
:
Replace <domain-cluster>
with your namespace and apply this manifest.
After few seconds (checks the Certificate events/status), the h8lio-tls
secret should be generated and can be used in you ingress routes tls:
configuration:
Remember to change your pipelines and/or helm chart to uses the new TLS configuration
If you are using the secret name, don’t mix your domain’s routes rules with the h8l.io ones. The generated certificate will only work for the specified h8l.io
dnsNames