GAP Documentation
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Let's get started!
  2. /
  3. Advanced configuration
  4. /
  5. DNS challenge for TLS
Edit page

DNS challenge for TLS

Please note this document is deprecated. Reach out to the GAP team if you want to set up DNS challenges.

Introduction

To use DNS challenge, one needs to set up an Issuer, a Certificate object manually for their domain, so cert-manager can use them. Furthermore you need to set these domains in your gap.yaml.

Purpose

This is the solution if one needs a wildcard Let’s Encrypt certificate for their application.

Supported services

Please read about supported services in cert-manager’s official documentation.

Example for Amazon’s Route 53

Creating Issuer object

Place the following Issuer object into a file gap/gap_issuer.yaml.

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: yourdomain-issuer
spec:
  acme:
    email: team-email-address@emarsys.com
    privateKeySecretRef:
      # the secret named below stores the registration secret provided by the Let'S Encrypt API
      name: yourdomain-issuer
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - selector:
        dnsZones:
          - 'yourdomain.com'
      dns01:
        route53:
          region: eu-central-1
          accessKeyID: <Access ID for your domain>
          hostedZoneID: <Zone ID for your domain>
          role: arn:aws:iam::XXXXXXXXXXXX:role/dns-manager
          secretAccessKeySecretRef:
            name: yourdomain-aws-access-key
            key: secret-access-key

Creating Certificate object

Place the following Certificate object into a file gap/gap_certificate.yaml.

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: yourdomain-certificate
spec:
  secretName: <your-app-name>-<your-deployment-name>-tls
  issuerRef:
    name: yourdomain-issuer
  commonName: yourdomain.com
  dnsNames:
    - yourdomain.com
    - "*.yourdomain.com"

Setting up Ingress

After creating these resources, your issued certificate and private key will be stored in the secret named <your-app-name>-<your-deployment-name>-tls. This will be automatically used for the deployment with the same name if you have set it up in gap.yaml like the example below.

If your app is meshed, you also need a virtual service:

deployments:
  web:
    ingress:
      enabled: true
      useCustomVirtualService: true

# gap/gap_virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp-web
spec:
  hosts:
  - yourdomain.com
  - "*.yourdomain.com"
  http:
  - route:
    - destination:
        host: myapp-web (name of your Service the same as your deployment which is generated by the pipeline)