How to install and configure Cert manager on kubernetes

Install cert-manager with Helm

Add the Helm repository

helm repo add jetstack https://charts.jetstack.io

Update the helm chart repository

helm repo update

Install cert-manager

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.12.0 \
  --set installCRDs=true

Install cert-manager using kubectl apply

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

Create a Certificate Authority

Create a CA private key

openssl genrsa -out ca.key 2048

Create a CA certificate

openssl req -new -x509 -sha256 -days 365 -key ca.key -out ca.crt

Import the CA certificate in the trusted Root Ca store of your clients

Create cluster issuer object

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: dev-ca-key-pair
EOF

Create a secret that will be used for signing in cert-manager name space

Convert the content of the key and crt to base64

cat ca.crt | base64 -w 0
cat ca.key | base64 -w 0

apiVersion: v1
kind: Secret
metadata:
  name: dev-ca-key-pair
  namespace: cert-manager
data:
  tls.crt: 
    $(base64-encoded cert data from tls-ingress.crt)
  tls.key: 
    $(base64-encoded cert data from tls-ingress.key)

Create certificate resource to generate certs for your applications

A Certificate resource specifies fields that are used to generate certificate signing requests which are then fulfilled by the issuer type you have referenced.

This should be created in the same namespace where your application is installed

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nginx-cert
  namespace: nginx
spec:
  secretName: nginx-tls-secret   
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
  dnsNames:
    - nginx.mkbn.tech
EOF

This will create the certificate object in nginx ns , along with secret call nginx-tls-secret which can be used in our nginx-ingress config

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: nginx
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: ca-issuer
spec:
  ingressClassName: nginx
  rules:
  - host: "nginx.mkbn.tech"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              number: 80
  tls:
  - hosts:
    - nginx.mkbn-tech
    secretName: nginx-tls-secret
EOF

Reference Links:

• Installing Helm

• Cert-manager