Remove hard-coded cert-manager configuration and improve TLS docs (#227)

emmanuelmathot · web-flow · commit af5ab47f3a71 · 2025-05-16T09:25:06.000+02:00
* Refactor ingress configuration to remove cert-manager settings and add TLS setup instructions in documentation

* Update CHANGELOG.md for v0.7.1 release notes, including breaking changes and TLS configuration updates

* Add documentation files in templates to .helmignore

* Fix .helmignore to correctly ignore documentation files in templates
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v0.7.1] - Unreleased
+
+### Breaking Changes
+- Remove hard-coded cert-manager configuration from ingress template [#227](https://github.com/developmentseed/eoapi-k8s/pull/227)
+
+### Changed
+- Simplify TLS configuration to allow user-controlled certificate management [#227](https://github.com/developmentseed/eoapi-k8s/pull/227)
+- Update documentation with comprehensive cert-manager setup guide [#227](https://github.com/developmentseed/eoapi-k8s/pull/227)
+
 ## [v0.7.0] - 2025-04-30
 
 ### Breaking Changes
diff --git a/docs/unified-ingress.md b/docs/unified-ingress.md
@@ -34,9 +34,6 @@ ingress:
   tls:
     enabled: false
     secretName: eoapi-tls
-    certManager: false
-    certManagerIssuer: letsencrypt-prod
-    certManagerEmail: ""
 ```
 
 ## Controller-Specific Configurations
@@ -89,6 +86,77 @@ ingress:
     secretName: eoapi-tls
 ```
 
+## Setting up TLS with cert-manager
+
+[cert-manager](https://cert-manager.io) can be used to automatically obtain and manage TLS certificates. Here's how to set it up with Let's Encrypt:
+
+1. First, install cert-manager in your cluster:
+```bash
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --set installCRDs=true
+```
+
+2. Create a ClusterIssuer for Let's Encrypt (staging first for testing):
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # Use Let's Encrypt staging environment first
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: your-email@example.com
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx  # or traefik, depending on your setup
+```
+
+3. After testing with staging, create the production issuer:
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: your-email@example.com
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx  # or traefik, depending on your setup
+```
+
+4. Configure your eoAPI ingress to use cert-manager:
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"  # or "traefik"
+  host: "eoapi.example.com"
+  annotations:
+    # Add cert-manager annotations
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  tls:
+    enabled: true
+    secretName: eoapi-tls  # cert-manager will create this secret
+```
+
+The certificate will be automatically obtained and renewed by cert-manager. The process typically takes a few minutes. You can check the certificate status with:
+```bash
+kubectl get certificate
+```
+
 ## Migration
 
 If you're migrating from a version 0.6.0 or earlier, follow these guidelines:
diff --git a/helm-chart/eoapi/.helmignore b/helm-chart/eoapi/.helmignore
@@ -22,3 +22,6 @@
 *.tmproj
 .vscode/
 tests/
+
+# Documentation files in templates
+templates/*/*.md
diff --git a/helm-chart/eoapi/templates/services/ingress.yaml b/helm-chart/eoapi/templates/services/ingress.yaml
@@ -20,9 +20,6 @@ metadata:
     traefik.ingress.kubernetes.io/router.entrypoints: web
     traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-strip-prefix-middleware-{{ $.Release.Name }}@kubernetescrd
     {{- end }}
-    {{- if and .Values.ingress.tls.enabled .Values.ingress.tls.certManager .Values.ingress.tls.certManagerIssuer }}
-    cert-manager.io/issuer: {{ .Values.ingress.tls.certManagerIssuer }}
-    {{- end }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.ingress.className }}
diff --git a/helm-chart/eoapi/values.yaml b/helm-chart/eoapi/values.yaml
@@ -55,9 +55,6 @@ ingress:
   tls:
     enabled: false
     secretName: eoapi-tls
-    certManager: false
-    certManagerIssuer: letsencrypt-prod
-    certManagerEmail: ""
 
 ######################
 # DATABASE
