Cert-manager
Cert-manager is a tool for creating HTTPS/TLS certificates.
It is a prerequisite to have access to a DNS provider (either one you control manually or using external-dns), a certificate authority (CA) such as Let’s Encrypt, and a working ingress configuration (e.g. ingress-nginx).
Installation of cert-manager
For a basic helm installation of cert-manager:
helm repo add jetstack https://charts.jetstack.io --force-update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.15.1 \
--set crds.enabled=true
To set up a certificate issuer, for example Let’s encrypt using ingress-nginx, create ClusterIssuer resources:
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-dev
solvers:
- http01:
ingress:
ingressClassName: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
ingressClassName: nginx
See this documentation for the most up-to-date documentation:
Now you should be able to issue certificates, provided that you are using external-dns or that you have set up a DNS record for the domain you are issuing the certificate for. For example, to create a certificate for harbor.dev.skach.org the following certificate resource would need to be applied to the Kubernetes cluster (or added to a git repository if you are using GitOps tools such as ArgoCD or Flux).
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harbor.dev.skach.org
namespace: harbor
spec:
dnsNames:
- harbor.dev.skach.org
secretName: harbor.dev.skach.org
issuerRef:
name: letsencrypt-prod-issuer
kind: ClusterIssuer
Installation of cert-manager using Flux Helm controller
If you are using Flux as GitOps solution, these instructions can be used: