Skip to content

Instantly share code, notes, and snippets.

@harivemula

harivemula/cert-manager-gcp-nginx.md

Last active June 1, 2023 12:44
Show Gist options
  • Save harivemula/6f4695fc8f7ccff1866d62ac886442dc to your computer and use it in GitHub Desktop.
Save harivemula/6f4695fc8f7ccff1866d62ac886442dc to your computer and use it in GitHub Desktop.
Download ZIP
Installing Cert manager in GCP GKE cluster on Nginx Ingress.
Raw
cert-manager-gcp-nginx.md

Installing & Configuring 'cert-manager' on GKE cluster with Nginx ingres

Confirm before running the below for installing ingress (nginx)

  • helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  • helm install quickstart ingress-nginx/ingress-nginx

Install a sample service

  • kubectl apply -f https://netlify.cert-manager.io/docs/tutorials/acme/example/deployment.yaml
  • kubectl apply -f https://netlify.cert-manager.io/docs/tutorials/acme/example/service.yaml

Installing Cert-Manager using helm

  • kubectl create namespace cert-manager
  • helm repo add jetstack https://charts.jetstack.io
  • helm repo update

You may install CRDs with one of the below 2 options, verify if they are created properly.

Manually

  • kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.crds.yaml

Or with Helm along with cert-manager installation (uncomment installCRDs line if required this method to install CRDs)

  • cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.3.1 \
--set installCRDs=true```

Test cert-manager installation with temporary self-signed cert creation

  • kubectl apply -f test-resources.yaml
  • kubectl describe certificate -n cert-manager-test
  • kubectl delete -f test-resources.yaml

'Notes: alternatively we can use the tool to verify installation cert-manager-verifier[https://github.com/alenkacz/cert-manager-verifier]

Install the Issuers, modify the files with your email id. (If needed you can change the kind to make it Issuer instead of ClusterIssuer)

kubectl apply -f staging_issuer.yaml kubectl apply -f prod_issuer.yaml

Configuring Ingress with Staging Cert first and if it works then enable it for Production cert.

  • Add the annotation (cert-manager...) pointing to your staging issuer.
  • Add/Adjust the spec section with 'tls.hosts, tls.secretName)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    #nginx.ingress.kubernetes.io/ssl-redirect: "false"

spec:
  tls:
  - hosts:
    - kuard.example.com
    secretName: kuard-tls-cert
  rules:
  - host: kuard.example.com
    http:
      paths:
      - path: /
        pathType: Exact
        backend:
          service:
            name: kuard
            port:
              number: 80
  • kubectl apply -f ingress-resource-sample.yaml -n healthtracker
  • kubectl get ingress kuard -o yaml -n healthtracker
  • kubectl describe ingress kuard -n healthtracker
  • kubectl describe certificate -n healthtracker
  • kubectl get secret -n healthtracker
  • wget --save-headers -O- kuard.example.com

Change the ingress resource with prod cert issuer and apply the changes.

  • kubectl apply -f ingress-resource-sample.yaml -n healthtracker

'Note: You may verify the cert creation using below

  • kubectl get certificate
  • kubectl get challenges
  • kubectl get ingress
  • kubectl get secrets

When creating cert cert-manager is trying to create a new ingress entry for challenge verification, However in GCP the new ingress resource creation by cert-manager is failing. So include the below annotation in ingress so that it uses the current ingress itself to add that temp route for challenge verification.

acme.cert-manager.io/http01-edit-in-place: "true"

Final Ingress Resource Looks like

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    acme.cert-manager.io/http01-edit-in-place: "true"
spec:
  tls:
  - hosts:
    - test.example.com
    secretName: test-cert
  rules:
  - host: test.example.com
    http:
      paths:
      - path: /
        pathType: Exact
        backend:
          service:
            name: kuard
            port:
              number: 80

References: Cert-Manager

Raw
prod_issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <YOUR_EMAIL>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Raw
staging_issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <YOUR_EMAIL>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
Raw
test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-selfsigned
namespace: cert-manager-test
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: cert-manager-test
spec:
dnsNames:
- example.com
secretName: selfsigned-cert-tls
issuerRef:
name: test-selfsigned
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment