Skip to content

Instantly share code, notes, and snippets.

@khernyo

khernyo/cert-manager-istio-notes.md

Last active May 11, 2020 18:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save khernyo/8d5bdcb0104f19206e034040f64bdb63 to your computer and use it in GitHub Desktop.
Save khernyo/8d5bdcb0104f19206e034040f64bdb63 to your computer and use it in GitHub Desktop.
Download ZIP
cert-manager-istio
Raw
cert-manager-istio-notes.md

Cert Manager Istio notes

  • set docker image and helm chart version

    NOTE: APP_VERSION must be in semver format, otherwise building the helm charts will fail (with no error message).

    export APP_VERSION=0.15.0-dev

  • install bazelisk (or bazel)

  • build and test all (just FYI, not necessary):

    bazel build //...
bazel test //...

  • update deps (after modifying go.mod or adding/removing any imports):

    ./hack/update-deps.sh

  • generate code (includes update deps):

    make generate

  • build docker image of controller (other image names can be found in build/BUILD.bazel: DOCKERIZED_BINARIES)

    # override docker registry and image tag
export DOCKER_REGISTRY=docker.io/<username>
#export APP_VERSION=0.15.0-dev
bazel run --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //build:controller

    make images also works but only on master, not on release-1.5.

  • install cert-manager:

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml

  • TODO: install modified CRD

    #export APP_VERSION=0.15.0-dev
bazel build //deploy:manifests
kubectl apply -f bazel-bin/deploy/crds/crds.regular.yaml

  • Permissions for istio resources:

    kubectl patch clusterrole cert-manager-controller-challenges --type='json' \
-p='[
  {
    "op": "add",
    "path":"/rules/0",
    "value":{
    "apiGroups": ["networking.istio.io"],
    "resources": ["gateways", "virtualservices"],
    "verbs": ["get", "list", "watch", "create", "delete", "update"]
    }
  }
]'

  • override controller docker image:

    kubectl patch deployment -n cert-manager cert-manager --type='json' \
  -p="[
    {\"op\": \"replace\", \"path\":\"/spec/template/spec/containers/0/image\", \"value\":\"${DOCKER_REGISTRY}/cert-manager-controller-amd64:${APP_VERSION}\"},
    {\"op\": \"replace\", \"path\":\"/spec/template/spec/containers/0/imagePullPolicy\", \"value\":\"Always\"}
  ]"

  • TODO: create issuer with istio config. Something like this, but it doesn't work, yet (needs modified CRD):

    kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: <email-address>
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        istio: {}
EOF

  • test:

      INGRESS_DOMAIN=your.test.domain

  cat <<EOF | kubectl apply -f -
  apiVersion: cert-manager.io/v1alpha2
  kind: Certificate
  metadata:
    name: ingress-cert
    namespace: istio-system
  spec:
    secretName: ingress-cert
    issuerRef:
      name: letsencrypt-staging
      kind: ClusterIssuer
    commonName: $INGRESS_DOMAIN
    dnsNames:
    - $INGRESS_DOMAIN
  EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment