Install
Cert-manager is easy to install with Helm Package Manager. The first step is add Jetstack repository in our repository and becoming the package info with update
helm repo add jetstack https://charts.jetstack.io helm repo update
Now we can install Cert-Manager with CRDs into our cluster:
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
Cert-manager have also a kubectl plugin to easily manage configs and resources
OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/kubectl-cert_manager-$OS-$ARCH.tar.gz tar xzf kubectl-cert-manager.tar.gz sudo mv kubectl-cert_manager /usr/local/bin
Configure for The Let’s Encrypt Certificate
Issuers and Cluster Issuers are components the creating certificates for our cluster. We need a ClusterIssuer for dynamically acquires new certificates for our ingress resources.
We creating also typically setup, one for staging another for live/production.
letsencrypt-issuer-staging.yaml
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory email: example@domain.com privateKeySecretRef: name: letsencrypt-staging solvers: - http01: ingress: class: nginx
kubectl create -f letsencrypt-issuer-staging.yaml
letsencrypt-issuer-production.yaml
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-production spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: example@domain.com privateKeySecretRef: name: letsencrypt-production solvers: - http01: ingress: class: nginx
kubectl create -f letsencrypt-issuer-production.yaml
Ingress Integration
The issuer is ready to certificate, Cert-manager check the ingress resources and create, if they needed, based on tls value.
We need a annotation “https://cert-manager.io/cluster-issuer:%20letsencrypt-staging” and tls block for certificate progress to activate.
example-ingress.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ .Chart.Name }}-ingress annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-staging spec: rules: - host: {{ .Values.hostname }} http: paths: - pathType: Prefix path: / backend: service: name: {{ .Chart.Name }}-service port: number: 80 tls: - hosts: - {{ .Values.hostname }} secretName: {{ .Chart.Name }}-tls
and dont forget update your ingress resource. After the re-deploy this ingress, Cert-manager detect the annotation and create creating certification request via cluster-issuer (letsencrypt-staging) for the hostname defined in the tls hosts field.
Views: 39