Cert-Manager – Kubernetes NGINX Ingress with Cert-Manager

Install

Cert-manager is easy to install with Helm Package Manager. The first step is add Jetstack repository in our repository and becoming the package info with update

helm repo add jetstack https://charts.jetstack.io
helm repo update

Now we can install Cert-Manager with CRDs into our cluster:

helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true

Cert-manager have also a kubectl plugin to easily manage configs and resources

OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/kubectl-cert_manager-$OS-$ARCH.tar.gz
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin

Configure for The Let’s Encrypt Certificate

Issuers and Cluster Issuers are components the creating certificates for our cluster. We need a ClusterIssuer for dynamically acquires new certificates for our ingress resources.

We creating also typically setup, one for staging another for live/production.

letsencrypt-issuer-staging.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: example@domain.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx
kubectl create -f letsencrypt-issuer-staging.yaml
letsencrypt-issuer-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: example@domain.com
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
      - http01:
          ingress:
            class: nginx
kubectl create -f letsencrypt-issuer-production.yaml

Ingress Integration

The issuer is ready to certificate, Cert-manager check the ingress resources and create, if they needed, based on tls value.

We need a annotation “https://cert-manager.io/cluster-issuer:%20letsencrypt-staging” and tls block for certificate progress to activate.

example-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ .Chart.Name }}-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
  rules:
    - host: {{ .Values.hostname }}
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: {{ .Chart.Name }}-service
                port:
                  number: 80
  tls:
    - hosts:
      - {{ .Values.hostname }}
      secretName: {{ .Chart.Name }}-tls

and dont forget update your ingress resource. After the re-deploy this ingress, Cert-manager detect the annotation and create creating certification request via cluster-issuer (letsencrypt-staging) for the hostname defined in the tls hosts field.

Views: 39