Install
Cert-manager is easy to install with Helm Package Manager. The first step is add Jetstack repository in our repository and becoming the package info with update
helm repo add jetstack https://charts.jetstack.io helm repo update
Now we can install Cert-Manager with CRDs into our cluster:
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
Cert-manager have also a kubectl plugin to easily manage configs and resources
OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/kubectl-cert_manager-$OS-$ARCH.tar.gz tar xzf kubectl-cert-manager.tar.gz sudo mv kubectl-cert_manager /usr/local/bin
Configure for The Let’s Encrypt Certificate
Issuers and Cluster Issuers are components the creating certificates for our cluster. We need a ClusterIssuer for dynamically acquires new certificates for our ingress resources.
We creating also typically setup, one for staging another for live/production.
letsencrypt-issuer-staging.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: example@domain.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
kubectl create -f letsencrypt-issuer-staging.yaml
letsencrypt-issuer-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example@domain.com
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
kubectl create -f letsencrypt-issuer-production.yaml
Ingress Integration
The issuer is ready to certificate, Cert-manager check the ingress resources and create, if they needed, based on tls value.
We need a annotation “https://cert-manager.io/cluster-issuer:%20letsencrypt-staging” and tls block for certificate progress to activate.
example-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Chart.Name }}-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
rules:
- host: {{ .Values.hostname }}
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: {{ .Chart.Name }}-service
port:
number: 80
tls:
- hosts:
- {{ .Values.hostname }}
secretName: {{ .Chart.Name }}-tls
and dont forget update your ingress resource. After the re-deploy this ingress, Cert-manager detect the annotation and create creating certification request via cluster-issuer (letsencrypt-staging) for the hostname defined in the tls hosts field.
Views: 325