There is a local setup without dependencies to external services.
make kind-upYou find the kubeconfig at $PWD/cert-management/dev/kind-kubeconfig.yaml
This starts a kind cluster with
- an ACME server (here the Let's Encrypt Pebble, a minimal ACME test server)
- an authoritative DNS server (here Knot DNS)
- the dns-controller-manager from gardener/external-dns-management
The pebble server is mapped to localhost:5443 on your local machine.
You can use it with the server endpoint https://localhost:5443/dir.
Running the cert-controller-manager locally from the command line using the kind cluster is nearly straight-forward.
There are two configuration issues to overcome.
- The local setup uses a DNS server running on the kind cluster. For checking the DNS propagation, your local
cert-controller-manager must use this server (by setting the
precheckNameservers). The make targetlocal-issuer-upcreates a suitable issuer in the default namespace. - Second, as the ACME server uses a self-signed certificate, the local cert-controller-manager must accept it. For this purpose, some environment variables need to be set
The complete list of steps are
make local-issuer-up
source ./dev/source-lego-env.sh
export KUBECONFIG=$PWD/dev/kind-kubeconfig.yaml
make build-local
./cert-controller-manager --default-issuer local-issuer --omit-leaseNote: The local issuer cannot be used from within the kind cluster. If you want to deploy the cert-controller-manager on the kind cluster, remove the issuer with
make local-issuer-downNow you can check if the issuer has been reconciled successfully:
$ kubectl get issuer local-issuer
NAME SERVER EMAIL STATUS TYPE AGE
local-issuer https://localhost:5443/dir [email protected] Ready acme 80sYou can add a sample certificate for any subdomains of certman.kind with
cat << EOF | kubectl apply -f -
apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
name: example
namespace: default
spec:
commonName: example.certman.kind
secretRef:
name: example
EOFCheck the certificate status, after a few seconds you should see
$ kubectl get cert example
NAME COMMON NAME ISSUER STATUS AGE
example example.certman.kind local-issuer Ready 40s
Alternatively to running the cert-controller-manager on your local machine, it can be deployed in the KinD cluster with
make certman-upThis command will build a container image and deploy it in the default namespace.
Additionally, a suitable issuer kind-issuer is created and configured to use
the ACME server and DNS server running on the kind cluster.
kubectl get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
cert-controller-manager 1/1 1 1 20mYou can check if the issuer has been reconciled successfully:
$ kubectl get issuer kind-issuer
NAME SERVER EMAIL STATUS TYPE AGE
kind-issuer https://acme.certman-support.svc.cluster.local/dir [email protected] Ready acme 17mYou can add a sample certificate for any subdomains of certman.kind with
cat << EOF | kubectl apply -f -
apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
name: example
namespace: default
spec:
commonName: example.certman.kind
secretRef:
name: example
EOFCheck the certificate status, after a few seconds you should see
$ kubectl get cert example
NAME COMMON NAME ISSUER STATUS AGE
example example.certman.kind kind-issuer Ready 8m50s
To remove the deployment and issuer, use
make certman-downmake kind-downThis deletes the Kind cluster.