Our solution leverages cert manager to generate valid ssl certs. Cert-manager was deployed automatically into the management cluster, however it an optional component for workload clusters. Use this script to deploy cert manager into the cluster using TKG packages.
./scripts/deploy-cert-manager.sh $(yq e .shared-services-cluster.name $PARAMS_YAML)Generate and apply Contour configuration. We sepecifically specify type=LoadBalancer for Envoy. Use the script to apply manifests.
./scripts/generate-and-apply-contour-yaml.sh $(yq e .shared-services-cluster.name $PARAMS_YAML)Once it is deployed, you can see all pods Running and the the Load Balancer up.
kubectl get pod,svc -n tanzu-system-ingressJust as we did for the management cluster, we will leverage external-dns for kubernetes managed DNS updates. Same choice of DNS Provider will be used.
Execute the script below to deploy external-dns and to apply the annotation to the envoy service.
./scripts/generate-and-apply-external-dns-yaml.sh $(yq e .shared-services-cluster.name $PARAMS_YAML)Prepare the YAML manifests for the contour cluster issuer. Manifest will be output into generated/$CLUSTER_NAME/contour/ in case you want to inspect. It is assumed that if you IaaS is AWS, then you will use the http challenge type and if your IaaS is vSphere, you will use the dns challenge type as a non-internet facing environment.
./scripts/generate-and-apply-cluster-issuer-yaml.sh $(yq e .shared-services-cluster.name $PARAMS_YAML)Check to see that the ClusterIssuer is valid:
kubectl get clusterissuer letsencrypt-contour-cluster-issuer -o yamlLook for the status to be Ready: True