Smallstep step-ca is a popular ACME Certificate Authority, especially for environments where you can't or don't want to rely on LetsEncrypt, such as on premise air gapped environments. In order to properly use step-ca however, you will need to modify your cluster.yaml. The ACME protocol relies on Challenges to issue certificates to services and smallstep step-ca implements these Challenges, such as the http01 challenge which is most commonly used. However, step-ca cannot handle redirects from http to https during the challenge and thus will not be able to issue certs to Konvoy clusters as Traefik automatically redirects all incoming traffic to https.
To disable the automatic https redirect, simply configure the Traefik addon in cluster.yaml as follows:
To disable the automatic https redirect, simply configure the Traefik addon in cluster.yaml as follows:
- name: traefik enabled: true values: | ssl: enforced: false
This modifies the configmap for Traefik to allow http ingress into the cluster and with this smallstep step-ca can reach the challenge URL hosted by Konvoy and issue a cluster certificate. After you have configured Traefik as above, you can follow the steps below to configure your cluster for ACME certificates:
https://docs.d2iq.com/dkp/konvoy/1.7/access-authentication/letsencrypt/
For more information about smallstep step-ca's http01 challenge used by Konvoy, see below:
https://smallstep.com/docs/tutorials/acme-challenge