helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install quickstart ingress-nginx/ingress-nginx
kubectl apply -f https://netlify.cert-manager.io/docs/tutorials/acme/example/deployment.yaml
kubectl apply -f https://netlify.cert-manager.io/docs/tutorials/acme/example/service.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.crds.yaml
Or with Helm along with cert-manager installation (uncomment installCRDs line if required this method to install CRDs)
-
cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.3.1 \ --set installCRDs=true```
kubectl apply -f test-resources.yaml
kubectl describe certificate -n cert-manager-test
kubectl delete -f test-resources.yaml
'Notes: alternatively we can use the tool to verify installation cert-manager-verifier[https://github.com/alenkacz/cert-manager-verifier]
Install the Issuers, modify the files with your email id. (If needed you can change the kind to make it Issuer instead of ClusterIssuer)
kubectl apply -f staging_issuer.yaml
kubectl apply -f prod_issuer.yaml
- Add the annotation (cert-manager...) pointing to your staging issuer.
- Add/Adjust the spec section with 'tls.hosts, tls.secretName)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-staging"
#nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- hosts:
- kuard.example.com
secretName: kuard-tls-cert
rules:
- host: kuard.example.com
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: kuard
port:
number: 80
- kubectl apply -f ingress-resource-sample.yaml -n healthtracker
- kubectl get ingress kuard -o yaml -n healthtracker
- kubectl describe ingress kuard -n healthtracker
- kubectl describe certificate -n healthtracker
- kubectl get secret -n healthtracker
- wget --save-headers -O- kuard.example.com
- kubectl apply -f ingress-resource-sample.yaml -n healthtracker
'Note: You may verify the cert creation using below
kubectl get certificate
kubectl get challenges
kubectl get ingress
kubectl get secrets
When creating cert cert-manager is trying to create a new ingress entry for challenge verification, However in GCP the new ingress resource creation by cert-manager is failing. So include the below annotation in ingress so that it uses the current ingress itself to add that temp route for challenge verification.
acme.cert-manager.io/http01-edit-in-place: "true"
Final Ingress Resource Looks like
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
acme.cert-manager.io/http01-edit-in-place: "true"
spec:
tls:
- hosts:
- test.example.com
secretName: test-cert
rules:
- host: test.example.com
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: kuard
port:
number: 80
References: Cert-Manager