cert-manager
is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. For more details, see here.
kubectl create namespace cert-manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
Verify with:
kubectl get pods --namespace cert-manager
To generate a certificate, first, an Issuer
object should be created. Then, a certificate can be requested against this Issuer
. The Issuer
object is scoped at a namespace; therefore, the YAML below first creates a namespace. Save the below YAML as issuer.yaml
and create the objects - Issuer
and Certificate
with kubectl apply -f issuer.yaml
.
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
commonName: example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
kubectl get secret/selfsigned-cert-tls -n cert-manager-test -o jsonpath='{ .data.ca\.crt }'
kubectl get secret/selfsigned-cert-tls -n cert-manager-test -o jsonpath='{ .data.tls\.crt }'