Cert-manager selfsigned as cluster issuer

cert-manager-test.sh

#!/usr/bin/env bash
set -ex
export TEST_CLUSTER_NAME=quick-test
export CERT_MANAGER_VERSION=v1.3.1
export KIND_IMAGE=kindest/node:v1.20.2

# Create test cluster
echo "Creating test cluster..."
kind create cluster --name="$TEST_CLUSTER_NAME" --image="$KIND_IMAGE"
until kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-system; do sleep 1; done

# Install cert-manager
echo "Installing cert-manager..."
helm repo add jetstack-test https://charts-test.jetstack.io
helm repo update
helm install \
  cert-manager jetstack-test/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.3.1 \
  --set installCRDs=true

kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace cert-manager

# Create self signed cluster issuer:
echo "Creating self-signed cluster-issuer..."
until cat <<EOYAML | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
spec:
  selfSigned: {}
EOYAML
do sleep 1; done
kubectl --timeout=10s wait --for=condition=Ready clusterissuers.cert-manager.io selfsigned-cluster-issuer

# Create CA certificate. If you want to use it as a ClusterIssuer the secret must be in the cert-manager namespace:
echo "Creating self-signed certificate..."
cat <<EOYAML | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: test-ca
  secretName: test-ca
  issuerRef:
    name: selfsigned-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io
EOYAML
kubectl --timeout=10s -n cert-manager wait --for=condition=Ready certificates.cert-manager.io test-ca

# Create clusterissuer
echo "Creating CA cluster issuer..."
cat <<EOYAML | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: test-ca-cluster-issuer
spec:
  ca:
    secretName: test-ca
EOYAML
kubectl --timeout=10s wait --for=condition=Ready clusterissuers.cert-manager.io test-ca-cluster-issuer

# Create Ingress in a different namespace that should use the new cluster issuer
echo "Creating ingress in namespace ingress-test..."
kubectl create ns ingress-test
cat <<EOYAML | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: test-ca-cluster-issuer
  name: test-ingress
  namespace: ingress-test
spec:
  rules:
  - host: example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 80
  tls:
  - hosts:
    - example.com
    secretName: myingress-cert
EOYAML
kubectl --timeout=10s -n ingress-test wait --for=condition=Ready certificates.cert-manager.io myingress-cert

# Extract CA, cert, key
kubectl get secret -n ingress-test myingress-cert -o json | jq -r  '.data["ca.crt"]' | base64 -d > ca.crt
kubectl get secret -n ingress-test myingress-cert -o json | jq -r  '.data["tls.crt"]' | base64 -d > tls.crt
kubectl get secret -n ingress-test myingress-cert -o json | jq -r  '.data["tls.key"]' | base64 -d > tls.key

# Extract cluster issuer CA
kubectl get secrets -n cert-manager test-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > issuer.crt

diff issuer.crt ca.crt && echo "Issuing CA matches Ingress CA" || echo "Issuing CA doesn't match Ingress CA"

openssl verify -CAfile issuer.crt tls.crt

rm ./*.crt ./*.key
kind delete cluster --name "$TEST_CLUSTER_NAME"

Thank you!