Post

How to install and configure Cert manager on kubernetes

Posted
Preview Image
By MKBN Tech
2 min read
How to install and configure Cert manager on kubernetes

Install cert-manager with Helm

Add the Helm repository

1

helm repo add jetstack https://charts.jetstack.io

Update the helm chart repository

1

helm repo update

Install cert-manager

1
2
3
4
5
6

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.12.0 \
  --set installCRDs=true

Install cert-manager using kubectl apply

1

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

Create a Certificate Authority

Create a CA private key

1

openssl genrsa -out ca.key 2048

Create a CA certificate

1

openssl req -new -x509 -sha256 -days 365 -key ca.key -out ca.crt

Import the CA certificate in the trusted Root Ca store of your clients

Create cluster issuer object

1
2
3
4
5
6
7
8
9

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: dev-ca-key-pair
EOF

Create a secret that will be used for signing in cert-manager name space

Convert the content of the key and crt to base64

1
2

cat ca.crt | base64 -w 0
cat ca.key | base64 -w 0

1
2
3
4
5
6
7
8
9
10

apiVersion: v1
kind: Secret
metadata:
  name: dev-ca-key-pair
  namespace: cert-manager
data:
  tls.crt: 
    $(base64-encoded cert data from tls-ingress.crt)
  tls.key: 
    $(base64-encoded cert data from tls-ingress.key)

Create certificate resource to generate certs for your applications

Certificate resource specifies fields that are used to generate certificate signing requests which are then fulfilled by the issuer type you have referenced.

This should be created in the same namespace where your application is installed

1
2
3
4
5
6
7
8
9
10
11
12
13
14

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nginx-cert
  namespace: nginx
spec:
  secretName: nginx-tls-secret   
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
  dnsNames:
    - nginx.mkbn.tech
EOF

This will create the certificate object in nginx ns , along with secret call nginx-tls-secret which can be used in our nginx-ingress config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: nginx
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: ca-issuer
spec:
  ingressClassName: nginx
  rules:
  - host: "nginx.mkbn.tech"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              number: 80
  tls:
  - hosts:
    - nginx.mkbn-tech
    secretName: nginx-tls-secret
EOF
kubernetes
cert-manager
This post is licensed under CC BY 4.0 by the author.