To use certificates issued by Let’s Encrypt on the One Eye login page, complete the following steps.
-
Create a ClusterIssuer yaml file for cert-manager and edit it to suit your environment. One Eye will use this to issue certificates to Pomerium and Dex.
-
Download the following sample ClusterIssuer custom resource and replace the name of the issuer and the administrator email address with valid values.
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: <name-of-the-clusterissuer> spec: acme: email: <administrator-email-address> preferredChain: "" privateKeySecretRef: name: one-eye-issuer-account-key server: https://acme-v02.api.letsencrypt.org/directory solvers: - http01: ingress: class: one-eye-nginx-external
-
Apply the ClusterIssuer:
kubectl apply -f <clusterissuer.yaml>
-
Check that it was created successfully.
kubectl get clusterissuers.cert-manager.io
-
-
Update the Observer custom resource of One Eye, set the observer.spec.certmanager.issuer field to the name of the ClusterIssuer.
kubectl patch observer one-eye --type merge -p " spec: certmanager: enabled: true namepace: cert-manager issuer: <name-of-the-clusterissuer>"
-
Delete the old Pomerium secret and the certificate as well if you previously configured cert manager with the default issuer.
kubectl delete certificate one-eye-pomerium-ingress kubectl delete secret one-eye-pomerium-ingress
-
Rerun the reconciler to apply the changes and create the new certificate resource.
one-eye observer reconcile
-
Wait until cert-manager creates a new secret for Pomerium that uses a Let’s Encrypt certificate.
kubectl get certificate one-eye-pomerium-ingress
In the output, the READY field should be true.
-
Open the external URL of the One Eye Dashboard in your browser, and verify that the certificate shown on the login screen is valid.