Created by Regin Villamor, last modified on Nov 21, 2022

ZeroSSL is a one-stop solution for SSL certificate creation and management, allowing users to create website security certificates issued by ZeroSSL either using a fast and straightforward user interface, using ACME integrations, or using a full-fledged SSL REST API. ZeroSSL supports single-domain, multi-domain and wildcard certificates with the option of choosing between 90-day as well as 1-year certificate validity.

Prerequisites

  • Account at https://zerossl.com/ . After that go to developer section and generate EAB Credentials for ACME Clients.
    Note: We are currently using Ion Mudreac's account.

Why ZeroSSL?

We previously used letsencrypt and the main difference is that ZeroSSL has no rate limits for SSL certificate issuance and has a GUI based management console for issued SSL certificates.

EAB secret

Once you will get your credentials first step is to create seed with secrets. They are responsible for authenticating with your ZeroSSL account.

EABHMACKey located in vault https://vault.cicd.safibank.online/ui/vault/secrets/secret/show/cicd/zerossl

From secret-zerossl.yaml

apiVersion: v1
kind: Secret
metadata:
  name: zerossl-eab
stringData:
  secret: <secret:secret/data/cicd/zerossl~EABHMACKey>

Cluster issuer

Create the ZeroSSL ClusterIssuer for the target GCP project. .e.g. safi-dns-safibankonline

From cluster-issuer-zerossl-dns.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: zerossl-dns
spec:
  acme:
    server: https://acme.zerossl.com/v2/DV90
    externalAccountBinding:
      keyID: bC96iOYfnz6MHrdgR4iI_w
      keySecretRef:
        name: zerossl-eab
        key: secret
    privateKeySecretRef:
      name: zerossl-dns
    solvers:
    - dns01:
        cloudDNS:
          # The ID of the GCP project
          project: safi-dns-safibankonline

Requesting Ingress certificate

From advanceai-gateway/values.yaml

kotlin:
  # others omitted for brevity
  
  ingress:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: zerossl-dns
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      kubernetes.io/ingress.class: traefik-internal
    hosts:
      - host: advanceai-gateway.apps.brave.safibank.online
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: advanceai-gateway.apps.brave.safibank.online-tls
        hosts:
          - advanceai-gateway.apps.brave.safibank.online

References