-
Notifications
You must be signed in to change notification settings - Fork 36
Using cert manager to enroll certificate in Kubernetes environments
grindsa edited this page Dec 18, 2021
·
9 revisions
I don not really have a full kubernets environment. Thus, I was using https://microk8s.io/ for testing.
- cert-manager must be installed. See instructions for further information. (I was installing with regular manifest but did change to helm to ensure that I always use the latest version)
The below steps based on instructions taken from cert-manager documention. Cert-manager can run as Issuser
or ClusterIssuer
ressource. The below configuration example uses Issuer
ressource; an ClusterIssuer
configuration is part of the release regression testing both http-01
and dns-01
challenge validation.
- Create an issuer configuration file as below
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-acme
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: acme2certifier
namespace: cert-manager-acme
spec:
acme:
email: [email protected]
server: http://192.168.14.1/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: acme-cert
namespace: cert-manager-acme
spec:
secretName: k8-acme-secret
issuerRef:
name: acme2certifier
dnsNames:
- k8-acme.bar.local
# optional but recommended to avoid reenrollment loops in case of short certificate lifetimes
renewBefore: 48h
- apply the configuration. Certificate enrollment should start immediately
grindsa@ub-20:~$ microk8s.kubectl apply -f acme2certifier.yaml
- the enrollment status can be checked via
microk8s.kubectl describe certificate -n cert-manager-acme
grindsa@ub-20:~$ microk8s.kubectl describe certificate -n cert-manager-acme
Name: acme-cert
Namespace: cert-manager-acme
Labels: <none>
Annotations: API Version: cert-manager.io/v1alpha3
Kind: Certificate
...
Spec:
Dns Names:
k8-acme.bar.local
Issuer Ref:
Name: acme2certifier
Secret Name: acme2certifier-secret
Status:
Conditions:
Last Transition Time: 2020-06-28T07:36:05Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2021-06-28T07:35:53Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal GeneratedKey 60s cert-manager Generated a new private key
Normal Requested 60s cert-manager Created new CertificateRequest resource "acme-cert-3129588559"
Normal Issued 58s cert-manager Certificate issued successfully
- the certificate details can be checked by using the command
microk8s.kubectl get certificate acme-cert -o yaml -n cert-manager-acme
- You can check the private key with
microk8s.kubectl get secret acme-cert-key -o yaml -n cert-manager-acme
. You should see a base64 encoded key in thetls.key
field. - certificate, issuer and namespace can be deleted with
microk8s.kubectl delete -f acme2certifier.yaml
There are extensive troubleshooting guides at the cert-manager website.
Below a list of commends I considered as most useful for me:
-
kubectl get order -n <name-space>
- to get the list of orders -
kubectl describe order -n <name-space> <order>
- to display the details of an order -
kubectl describe challenge -n <name-space>
- show challenges and provisioning status