ClusterIssuer. They are used for signing CSRs (certificate requests). The difference between these resources is that
ClusterIssueris non-namespaced and can be used in multiple namespaces:
Issueris used within a single namespace only;
ClusterIssueris a global cluster object.
Issuerresource would look like this:
Certificateresource that determines the issuance (see the
issuerRefsection below) and the location of the private key (the
secretNamefield). Then you need to invoke that key in the Ingress (note the
tlssection in the
Certificateresource. For example, you can use the corporate CA. This way, you will be able to sign certificates issued for your Ingress with a key that is already in use by other server services/information systems.
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>URL per request of the certification server. Therefore, this method implies the accessibility of Ingress from the outer world via port 80 and the publicity of the domain’s DNS record.
serverfield for our
Issuer. You can replace it with the production one later.
Certificateleads to the emergence of a new
Ordercontains the description of parameters of the validation and its current status. The validation is performed by the
describe certificate le-tlscommand.
https://acme-v02.api.letsencrypt.org/directory) and re-issue valid certificates signed by
Let's Encrypt Authority X3instead of
Fake LE Intermediate X1.
Certificateresource. Otherwise, the issuance procedure will not start because the certificate already exists, and it is valid. Deleting a secret would immediately result in invalidation of the certificate with the following message in the output of the
Certificatedescribed above (it has not changed):
Certificate issued successfullyconfirmation, let us check it out:
Secretresource containing the token and describe it in your
Issuerwill have the following form:
Challengeresources will be created:
Certificateresources explicitly. The idea is to obtain a certificate automatically using the
Issuerspecified in the special annotations of Ingress. Here is an example of the respective Ingress resource: