search by tags

for the user

adventures into the land of the command line

how to setup and use cert manager

install the cert-manager thingo into the kube-system namespace:

$ helm install --name cert-manager --namespace kube-system stable/cert-manager

create two cluster issuers, one for each letsencrypt environment. their prod and staging environments. note that these are not your environments, these are letsencrypt’s environments.

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: kube-system
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable HTTP01 validations
    http01: {}

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: kube-system
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable HTTP01 validations
    http01: {}

$ kubectl apply -f certmanager-prod.yaml
$ kubectl apply -f certmanager-staging.yaml

you’ll see that these now exist (you can’t view them in the dashboard by the way)

$ kubectl get clusterissuer --all-namespaces
NAME                  AGE
letsencrypt-prod      15s
letsencrypt-staging   2s

Add a certificate creation to your helm chart:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: my-groovy-cert
  namespace: my-groovy-namespace
spec:
  secretName: my-groovy-cert
  dnsNames:
  - my.groovy.domain
  acme:
    config:
    - ingressClass: nginx
      domains:
      - my.groovy.domain
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

$ kubectl get certificate --all-namespaces
NAMESPACE             NAME             AGE
my-groovy-namespace   my-groovy-cert   2m

to tie it to the ingress you want to use it with, you need to reference the certmanager annotation by the name you gave it when you created the cert manager.

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-groovy-ingress
  labels:
    app: my-groovy-app
  namespace: my-groovy-namespace
  annotations:
    ingress.kubernetes.io/configuration-snippet: |
      certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - my.groovy.domain
    secretName: my-groovy-cert
  rules:
  - host: my.groovy.domain
    http:
      paths:
      - path: /
        backend:
          serviceName: default-backend
          servicePort: 80

and then magic happens after maybe 5 minutes (it takes a few minutes to generate and receive the cert).

$ kubectl get secrets -n my-groovy-namespace
NAME                                    TYPE                                  DATA      AGE
.
.
my-groovy-cert                          kubernetes.io/tls                     2         4m
.
.

head over to https://my.groovy.domain and check out your green padlock in all its glory