To use certificates issued by Let’s Encrypt on the One Eye login page, complete the following steps.

  1. Create a ClusterIssuer yaml file for cert-manager and edit it to suit your environment. One Eye will use this to issue certificates to Pomerium and Dex.

    1. Download the following sample ClusterIssuer custom resource and replace the name of the issuer and the administrator email address with valid values.

      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: <name-of-the-clusterissuer>
      spec:
        acme:
          email: <administrator-email-address>
          preferredChain: ""
          privateKeySecretRef:
            name: one-eye-issuer-account-key
          server: https://acme-v02.api.letsencrypt.org/directory
          solvers:
          - http01:
              ingress:
                class: one-eye-nginx-external
      
    2. Apply the ClusterIssuer:

      kubectl apply -f <clusterissuer.yaml>
      
    3. Check that it was created successfully.

      kubectl get clusterissuers.cert-manager.io
      
  2. Update the Observer custom resource of One Eye, set the observer.spec.certmanager.issuer field to the name of the ClusterIssuer.

    kubectl patch observer one-eye --type merge -p "
    spec:
      certmanager:
        enabled: true
        namepace: cert-manager
        issuer: <name-of-the-clusterissuer>"
    
  3. Delete the old Pomerium secret and the certificate as well if you previously configured cert manager with the default issuer.

    kubectl delete certificate one-eye-pomerium-ingress
    kubectl delete secret one-eye-pomerium-ingress
    
  4. Rerun the reconciler to apply the changes and create the new certificate resource.

    one-eye observer reconcile
    
  5. Wait until cert-manager creates a new secret for Pomerium that uses a Let’s Encrypt certificate.

    kubectl get certificate one-eye-pomerium-ingress
    

    In the output, the READY field should be true.

  6. Open the external URL of the One Eye Dashboard in your browser, and verify that the certificate shown on the login screen is valid.