# TLS Certificates

Openware deployments support two main ways of issuing and loading TLS certificates: LetsEncrypt ACME(Automated Certificate Management Environment) and pre-provisioned certificates.

#ACME

OPEX utilizes cert-manager to connect to LetsEncrypt API and issue certificates. cert-manager uses CRDs(Custom Resource Definition) so that every aspect of the issuing process could be managed using kubectl and Kubernetes API.

All the troubleshooting documentation is gathered here

#Pre-provisioned certificates

Existing certificates can be loaded into the cluster as Secrets and Ingresses can be configured to utilize them instead of the ones generated by cert-manager.

The steps to use a pre-provisioned TLS certificate in an Ingress are:

1. Create a TLS Secret using the certificate files in the same namespace as the target Ingress

   apiVersion: v1
   kind: Secret
   metadata:
     name: testsecret-tls
     namespace: default
   data:
     tls.crt: base64 encoded cert
     tls.key: base64 encoded key
   type: kubernetes.io/tls
   

2. Configure the TLS section of the Ingress config

   apiVersion: networking.k8s.io/v1beta1
   kind: Ingress
   metadata:
     name: tls-example-ingress
   spec:
     tls:
     - hosts:
       - sslexample.foo.com
       secretName: testsecret-tls
     rules:
       - host: sslexample.foo.com
         http:
           paths:
           - path: /
             backend:
               serviceName: service1
               servicePort: 80
   

3. Enjoy secure connections to your services over TLS!