Issuing LetsEncrypt Certificates using (OpenShift) Cert Manager Operator

00-letsencrypt-prod-certs.yaml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: "swghosh@redhat.com"
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - dns01:
        route53:
          accessKeyID: <AWS_ACCESS_KEY_ID>
          hostedZoneID: <ROUTE53_HOSTED_ZONE_ID>
          region: us-east-1
          secretAccessKeySecretRef:
            name: "aws-secret"
            key: "awsSecretAccessKey"
      selector:
        dnsNames:
        - 'cert-hello.devcluster.openshift.com'
---
apiVersion: v1
kind: Secret
metadata:
  name: "aws-secret"
type: Opaque
data:
  awsSecretAccessKey: <AWS_SECRET_ACCESS_KEY>
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-hello-tls
spec:
  isCA: false
  commonName: "cert-hello.devcluster.openshift.com"
  secretName: cert-hello-tls-cert
  dnsNames:
  - "cert-hello.devcluster.openshift.com"
  issuerRef:
    name: letsencrypt
    kind: Issuer

01-nodejs-deployment.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: cert-hello-server-js-script
  namespace: default
data:
  server.js: |-
    const https = require('https');
    const fs = require('fs');

    const options = {
      key: fs.readFileSync('/etc/cert/tls.key'),
      cert: fs.readFileSync('/etc/cert/tls.crt')
    };

    https.createServer(options, function (req, res) {
      res.writeHead(200);
      res.end("hello world\n");
    }).listen(8443);
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-hello
  namespace: default
spec:
  selector:
    matchLabels:
      app: cert-hello
  template:
    metadata:
      labels:
        app: cert-hello
    spec:
      volumes:
      - name: server-js-cm
        configMap:
          name: cert-hello-server-js-script
          items:
            - key: server.js
              path: server.js
      - name: tls-secret
        secret:
          secretName: cert-hello-tls-cert
      securityContext:
        runAsUser: 999
      containers:
      - name: cert-hello
        image: node:alpine
        command:
        - "node"
        - "/src/server.js"
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        securityContext:
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
          runAsNonRoot: true
          capabilities:
            drop:
            - "ALL"
        ports:
        - containerPort: 8443
        volumeMounts:
        - name: server-js-cm
          mountPath: /src/server.js # This should be your final destination
          subPath: server.js
        - name: tls-secret
          mountPath: /etc/cert
---
apiVersion: v1
kind: Service
metadata:
  name: cert-hello
  namespace: default
spec:
  selector:
    app: cert-hello
  ports:
  - port: 443
    targetPort: 8443

02-custom-ingress-controller.yaml

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: tls-apps
  namespace: openshift-ingress-operator
spec:
  defaultCertificate:
    name: cert-hello-tls-cert
  domain: "tls-apps.devcluster.openshift.com"
  replicas: 2

README.md

Issuing LetsEncrypt Certificates using (OpenShift) Cert Manager Operator

The following Kubernetes manifests would issue LetsEncrypt TLS certificates for use with an sample node.js https web app. In this example, the Cert Manager operator issues certificates from LetsEncrypt with the help of ACME DNS validation instead of HTTP validation. Web traffic to the sample node.js website is encrypted through TLS and we do not use Kubernetes Ingress in this example.