Certificates

Cert-Manager

Currently, utilizing cert-manager of microk8s or from raw manifests didn't give any results, it fails for some reason. So temporary decision was using manual setup ssl certificates by certbot.

Certbot

First, install certbot:

sudo apt install certbot

Then, run (make sure to replace email with actual one and domain name):

sudo certbot certonly --manual \
  --preferred-challenges dns \
  --email email@example.com \
  --agree-tos \
  -d domain.name -d "*.domain.name" -d "*.subdomain.domain.name"

Follow instructions (by using dns challenge need to add TXT record for _acme-challenge domain with given token). Wait to this record taking place (monitor by given google dig tool).

NOTE: This command for certbot creates certificates for domain.name and by using wildcard also for its subdomains. But in case of need of subdomain of subdomain, for example *.staging.domain.name, run again certbot command with this wildcard and create respective secrets. Refer to values.yaml to see how those secrets named (or adjust by your needs and update values) After successful message, create a secret (replace with actual domain name):

kubectl create secret tls tls-secret-letsencrypt \
  --cert=/etc/letsencrypt/live/domain.name/fullchain.pem \
  --key=/etc/letsencrypt/live/domain.name/privkey.pem

Right now there are 3 certificate-pairs on whole infrastucture, one - for staging, second one - for production, and third one, for strange combination of staging.upmini.app, *.s3.staging.upmini.app, *.s3.upmini.app.

TODO: get rid of this third one and have only 2 certificate-pairs: staging & production. Ideally, fix issues with cert-manager

Also need to mention that while argocd and grafana uses same certificate pairs as default namespace, but they require to create a new secret on their namespaces, refer to values.yaml for namings.

Then apply changes:

helm upgrade --install app app