cert-issuer

Edit on GitHub	/services/cert-issuer
Type	Helm
Namespace	cert-issuer

Overview

The cert-issuer service creates a cluster issuer for the use of the Rubin Science Platform. It depends on cert-manager. The issuer is named cert-issuer-letsencrypt-dns.

On most clusters where the Rubin Science Platform manages certificates, this is also handled by the Rubin Science Platform Argo CD, but on the base and summit clusters, cert-manager is maintained by IT and installed outside of Argo CD. NCSA clusters use NCSA certificates issued via an internal process.

cert-issuer should only be enabled in environments using Route 53 for DNS and using cert-manager with the DNS solver. For more information, see Hostnames and TLS.

Using cert-issuer

To configure an ingress to use certificates issued by it, add a tls configuration to the ingress and the annotation:

cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns

This should be done on one and only one ingress for a deployment using cert-issuer. The RSP conventionally uses the landing-page service.

Guides

• Setting up Route 53 for cert-issuer
• Bootstrapping cert-issuer

See also

• cert-manager

• cert-manager documentation for Route 53.