Skip to content

Instantly share code, notes, and snippets.

@icicimov

icicimov/cert-manager-ns.yml

Last active May 5, 2020 09:12
Show Gist options
  • Save icicimov/5921ecac7a2179a7eb350e7f1ce8512b to your computer and use it in GitHub Desktop.
Save icicimov/5921ecac7a2179a7eb350e7f1ce8512b to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes cert-manager deployment
Raw
cert-manager-ns.yml
---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
labels:
name: cert-manager
Raw
cert-manager.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: cert-manager
labels:
app: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager
labels:
app: cert-manager
rules:
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "issuers", "clusterissuers"]
verbs: ["*"]
- apiGroups: [""]
resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager
labels:
app: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager
subjects:
- name: cert-manager
namespace: cert-manager
kind: ServiceAccount
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
labels:
app: cert-manager
spec:
group: certmanager.k8s.io
version: v1alpha1
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
labels:
app: cert-manager
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
labels:
app: cert-manager
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: cert-manager
namespace: cert-manager
labels:
app: cert-manager
chart: cert-manager-v0.3.0-alpha.5
release: cert-manager
heritage: Tiller
spec:
replicas: 1
selector:
matchLabels:
app: cert-manager
template:
metadata:
labels:
app: cert-manager
annotations:
spec:
serviceAccountName: cert-manager
containers:
- name: cert-manager
image: quay.io/jetstack/cert-manager-controller:v0.3.2
imagePullPolicy: IfNotPresent
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
cpu: 10m
memory: 32Mi
Raw
letsencrypt.yml
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
email: user@domain.com
http01: {}
privateKeySecretRef:
name: letsencrypt-staging
server: https://acme-staging.api.letsencrypt.org/directory
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: user@domain.com
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v01.api.letsencrypt.org/directory
Raw
usage.md

Set appropriate annotations and secret for Ingress as shown below:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: some-name
  namespace: default
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-[staging|prod]"
spec:
  tls:
  - hosts:
    - host.domain.tld
    secretName: host-domain-tls-[staging|prod]
  rules:
  ...
...

When using RBAC and ServiceAccount, make sure you have granted access to the host-domain-tls-[staging|prod] secret where cert-manager will store the certificate it obtained from Let's Encrypt for the domain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment