matiasah/cert-manager-install.md

## cert-manager-install.md

      
    Raw
  

              cert-manager-install.md
            
          
    Installing Cert Manager

Install Helm Chart

Add repository
helm repo add jetstack https://charts.jetstack.io
helm repo update

Install Cert Manager
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.10.1 --set installCRDs=true

Configure Issuer

Apply the staging object
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: YOUR-EMAIL-GOES-HERE
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: istio
Apply the prod object
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: YOUR-EMAIL-GOES-HERE
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: istio
Configure Certificates

Apply Staging Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: istio-ingressgateway-staging
  namespace: gateway
spec:
  secretName: istio-ingressgateway-staging
  commonName: my.example.com
  dnsNames:
  - my.example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
Wait until certificate is ready
kubectl get certificate -n gateway

Apply Prod Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: istio-ingressgateway-prod
  namespace: gateway
spec:
  secretName: istio-ingressgateway-prod
  commonName: my.example.com
  dnsNames:
  - my.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
Adjust Gateway Certificate

Edit gateway yaml
kubectl edit gateway istio-ingressgateway -n gateway

Configure certificate secret. Set tls mode to "SIMPLE" and put the name of the secret.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  annotations:
    ...
  name: ...
  namespace: ...
spec:
  selector:
    ...
  servers:
  ...
  - hosts:
    - ...
    port:
      ...
    tls:
      mode: SIMPLE
      credentialName: istio-ingressgateway-prod