Skip to main content

Cert-Manager

Installing cert-manager

  1. Create a namespace in which cert-manager will be installed.

    export CERT_MANAGER_NAMESPACE="<certmanager namespace>"  # set this value to your desired certmanager namespace, i.e., 'cert-manager', or 'certmanager'
kubectl create ns "$CERT_MANAGER_NAMESPACE"

  2. Add the cert-manager chart repo to helm and update it.

    helm repo add certmanager https://charts.jetstack.io
helm repo update

  3. Create a helm values file so you can modify how you want cert-manager installed to your cluster.

    cat <<EOF >> cert_manager_values.yaml
installCRDs: true

ingressShim:
  defaultIssuerName: "letsencrypt-prod"
  defaultIssuerKind: "ClusterIssuer"
  defaultIssuerGroup: "cert-manager.io"
EOF
    Download
    Download the cert_manager_values.yaml file.
    Review the full set of values

    For the full set of values options look here.

  4. Install cert-manager to the namespace you created above:

    helm install -n "$CERT_MANAGER_NAMESPACE" cert-manager certmanager/cert-manager -f cert_manager_values.yaml
    note

    If you are using the deployment package the -f argument will be tls/cert-manager/cert_manager_values.yaml

  5. Check that cert-manager is running with the following command:

    kubectl get po -n "$CERT_MANAGER_NAMESPACE" -w

After installing cert-manager, create an issuer configuration to tell cert-manager how to generate new TLS certificates.

note

You will need to provide an email address to Let's Encrypt to receive notifications about your certificate status.

  1. Create your issuer manifest.

    export CERT_MANAGER_CLUSTER_ISSUER_EMAIL="john.doe@domain.com"

cat <<EOF >> cluster_issuer_prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: {{CLUSTER-ISSUER-ORG-EMAIL}}
    privateKeySecretRef:
      name: letsencrypt-private-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

sed -i '.bak' -e "s|{{CLUSTER-ISSUER-ORG-EMAIL}}|${CERT_MANAGER_CLUSTER_ISSUER_EMAIL}|g" cluster_issuer_prod.yaml && rm cluster_issuer_prod.yaml.bak
    Download
    Download the cluster_issuer_prod.yaml file.
    Action

    Be sure to replace <org email> with your email prior to using the file.

  2. Apply your manifest to the cluster.

    kubectl create -f cluster_issuer_prod.yaml -n "$CERT_MANAGER_NAMESPACE"

  3. Check that your email was successfully registered with LetsEncrypt.

    kubectl get clusterissuer/letsencrypt-prod -o wide -n "$CERT_MANAGER_NAMESPACE"
Review the Source Docs

Review the cert-manager docs for more info.