External ingress¶
We support adding external ingresses that other controls using cert-manager.
This is easily done by adding a CNAME
record pointing to an ingress we control.
Read more about delegated domains for dns01 at cert-manager.io/docs.
Underneath I've written the steps needed to take for us to get this working.
Getting external ingress up and running¶
I'm going to use detsombetyrnoe.no
as an example.
-
Ask the secops team to add a redirect from the domain to our external loadbalancer (prod-gcp:
34.102.211.240
). -
Ask the secops team do add the following
acme-challenge
to the domain: -
Create an Kubernetes
Issuer
:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: detsombetyrnoe-no namespace: nais-system spec: acme: email: frode.sundby@nav.no preferredChain: ISRG Root X1 privateKeySecretRef: name: cloud-nais-io-account-key server: https://acme-v02.api.letsencrypt.org/directory solvers: - selector: dnsZones: - detsombetyrnoe.no dns01: cnameStrategy: Follow cloudDNS: hostedZoneName: intern-nav-no project: nais-prod-020f
You can use
dnsName
if you don't have subdomains, or if you want to be explicit. -
Then create a Kubernetes
Certificate
: -
After the certificate has been approved by Let's encrypt, you need to notify
loadbalancer
about your certificate secretwc-detsombetyrnoe-no-tls
. Go to Fasit > Your env > loadbalancer, and add your secret name to theCertificates
list. - Then you need to inform
Naiserator
about the new ingress,detsombetyrnoe.no
. Go to Fasit > Your env > Naiserator, and add your secret name to theExtra external hosts
list. - Ask the user to add their new ingress to their
nais.yaml
. - Success?
Subdomains? Yeah, but manually...¶
This solution also supports subdomains, but we need the secops team to add each subdomain as an _acme_challenge
.
PS: Make sure there are not other issuer with the tag: issuewild
!