I want to transfer the letsencrypt certificate of my production Kubernetes cluster to the cluster I'm spinning up for e2e tests in GitLab CI.
My goal is to avoid storing the certificate in the CI and inject it through the environment because then I need to update manually and have it there for always rather than just the time of the CI job. I assume that I can't create a certificate for the domain for the e2e cluster because the production cluster keeps running.
I'm exporting the secret which is used by the ingress with kubectl get -o yaml
and importing it into the newly created cluster with kubectl apply
. This works fine for microk8s
locally.
My production and e2e cluster are in the Google Cloud. The ingresses don't get IP external addresses because they're complaining Issuer resource "letsencrypt-prod" not found
. I need the IP address to configure name resolution for the test to point to the e2e cluster rather than production.
I tried adding a
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-staging.api.letsencrypt.org/directory
# Email address used for ACME registration
email: admin@mereet.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
http01: {}
into the namespace where the ingresses are created and into the namespace where cert-manager
is installed.
What is the missing issuer referring to and how can I make the certificate transfer work which already works from production to local.
It's a poor security practice to use the same certificate for your production environments and your test environments. You should generate a separate certificate for the test environment and look to automate its generation to enable highly autmamted end-to-end testing.