Shipmight integrates with Cert-Manager for:
- automating SSL certificates for domains
Cert-Manager is included as an optional dependency of the Shipmight stack.
How it works
Cert-Manager watches for any Kubernetes Ingresses with the annotation
Shipmight can add this annotation (along with a
tls configuration) to Ingresses that are created when users create domains in Shipmight UI. Also, Shipmight UI will show the status of the SSL certificate if an issuer is linked to a domain.
To install Cert-Manager which is included in the Shipmight stack but disabled by default, set
helm upgrade shipmight shipmight/shipmight-stack \ --cert-manager.enabled=true
In addition to enabling Cert-Manager, you must create a
ClusterIssuer. Here's an example Let's Encrypt issuer (make sure to fill in your own email address):
echo " --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: acme labels: cert-manager-issuer.shipmight.com/id: acme annotations: cert-manager-issuer.shipmight.com/name: \"Let's Encrypt\" spec: acme: email: firstname.lastname@example.org # A) Let's Encrypt STG server for testing: server: https://acme-staging-v02.api.letsencrypt.org/directory # B) Let's Encrypt PROD server # server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: acme-account-key solvers: - http01: ingress: class: nginx " | kubectl apply -f -
Some notes about the issuer:
- Note the label
cert-manager-issuer.shipmight.com/id. This label marks the issuer as discoverable by Shipmight.
- With the optional annotation
cert-manager-issuer.shipmight.com/nameyou can customize the issuer name if it is shown in Shipmight UI at some point.
- For different types of issuers (e.g. wildcard issuers which require dynamic DNS configurations), see Issuer Configuration in the Cert-Manager documentation.
If a ClusterIssuer with the
cert-manager-issuer.shipmight.com/id label exists in the cluster, Shipmight will automatically associate with it. No other configuration is needed.
At the time of writing, there can only be 1 issuer associated to Shipmight at a time. Support for associating more issuers is an upcoming feature. Users will be able to choose from the available issuers when creating a domain.
Follow the official documentation to uninstall Cert-Manager and related resources and CRDs. In section "Uninstalling with Helm", substitute
helm --namespace cert-manager delete cert-manager with:
helm upgrade shipmight shipmight/shipmight-stack \ --cert-manager.enabled=false