Using HTTPS to publish your website or expose your API is a must today. Fortunately, the days when you had to spend hundreds of dollars and time to create and manage a valid TLS / SSL certificate are long gone.
Cert-Manager automates the provisioning of certificates within Kubernetes clusters. It provides a set of custom resources for issuing certificates and attaching them to services.
One of the most common use cases is to secure web applications and APIs with Let’s Encrypt SSL certificates.
Prerequisites
Before you get started, you’ll need to have these things:
- A kubernetes cluster
- A DNS domanin name
- Helm
Installing cert-manager
Create a cert-manager namespace :
$:> kubectl create namespace cert-manager
cert-manager created
$:>Disable resource validation on the cert-manager namespace
cert-manager deploys a webhook component to perform resource validations on Issuer, ClusterIssuer and Certificate. This webhook shouldn’t run on the same namespace the cert-manager is deployed on.
$:> kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
namespace/cert-manager labeled
$:>Add the required Helm repository :
$:> helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$:>Search for latest jetstack/cert-manager official Helm chart version :
$:> helm search repo cert-manager
NAME CHART VERSION APP VERSION DESCRIPTION
jetstack/cert-manager v1.8.0 v1.8.0 A Helm chart for cert-manager
jetstack/cert-manager-approver-policy v0.3.0 v0.3.0 A Helm chart for cert-manager-approver-policy
jetstack/cert-manager-csi-driver v0.2.1 v0.2.0 A Helm chart for cert-manager-csi-driver
jetstack/cert-manager-csi-driver-spiffe v0.2.0 v0.2.0 A Helm chart for cert-manager-csi-driver-spiffe
jetstack/cert-manager-istio-csr v0.4.2 v0.4.0 istio-csr enables the use of cert-manager for i...
jetstack/cert-manager-trust v0.1.1 v0.1.0 A Helm chart for cert-manager-trust
$:>Install the cert-manager Helm :
$:> helm upgrade --install cert-manager -n cert-manager --version \
v1.8.0 jetstack/cert-manager --set installCRDs=true
Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Mon May 17 18:03:27 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.8.0 has been deployed successfully!
$:>Verify installation :
$:> kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-76578c9687-cl7sm 1/1 Running 0 78s
cert-manager-cainjector-5c55bb7cb4-hfgfv 1/1 Running 0 78s
cert-manager-webhook-556f979d7f-6xjhg 1/1 Running 0 78s
$:>Make sure custom resources *.cert-manager.io were created successfully :
$:> kubectl get crd | grep cert-manager
certificaterequests.cert-manager.io 2022-05-23T16:03:29Z
certificates.cert-manager.io 2022-05-17T16:03:29Z
challenges.acme.cert-manager.io 2022-05-17T16:03:29Z
clusterissuers.cert-manager.io 2022-05-17T16:03:29Z
issuers.cert-manager.io 2022-05-17T16:03:29Z
orders.acme.cert-manager.io 2022-05-17T16:03:29Z
$:>Verify that ClusterIssuer is non-namespaced scoped (‘false’) ,so it can be used to issue Certificates across all namespaces :
$:>kubectl api-resources | grep clusterissuers
clusterissuers cert-manager.io/v1 false ClusterIssuer
$:>And now you have installed cert-manager 😀
In the next post we will see how to use cert-manager in Traefik deployment.
Next
Generate a certificate for Traefik Ingress Controller in Kubernetes
Conclusion
Long gone are the days when obtaining a TLS certificate was expensive and time-consuming. Install cert-manager in your Kubernetes cluster once and take advantage of free automated TLS certificate registration and management
