cert-manager
is a X.509 certificate controller that allows you issue certificate from variety of certificate issuers and renew certificates automatically before they expire in your containerized environment. You can find more info about installation cert-manager
Configuration
Once cert-manager is installed first thing to be configured is Issuer
or ClusterIssuer
. These two resources represent Certificate Authority able to sign certificates in response to CSR. In this post certificate will be issued from Let's Encrypt
. Let’s Encrypt is a non-profit organization run by Internet Security Research Group that provides X.509 at no charge.
Two ClusterIssuer
s will be created in Kubernetes cluster. One for Staging and other for Production. Staging issuer will be used for testing purpose without hitting the rate limit of Let’s Encrypt service.
Create Staging ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: traefik # ingress class name
Create Production ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: [email protected]
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: traefik # ingress class name
kubectl apply -f issuer-staging.yaml -f issuer-prod.yaml
[tesla@gokicloud ~]$ kubectl get clusterissuers.cert-manager.io
NAME READY AGE
letsencrypt-staging True 29d
letsencrypt-prod True 29d
Create Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: manintheit
namespace: manintheit
spec:
secretName: manintheit-tls
duration: 2160h # certificates issued by let's encrypt valid for 90 days.
renewBefore: 360h # renew 15 days ago
subject:
organizations:
- manintheit
isCA: false
privateKey:
algorithm: ECDSA
size: 256
usages:
- server auth
- client auth
dnsNames:
- manintheit.org
- www.manintheit.org
- archive.manintheit.org
- ghost-admin-panel.manintheit.org
- mail.manintheit.org
issuerRef:
name: letsencrypt-prod # for testing 'letsencrypt-staging'
kind: ClusterIssuer
group: cert-manager.io
Note:
It is highly recommended to use Staging ClusterIssuer, before using Production one. Otherwise, you may hit the rate limit of Let’s encrypt due to incorrect Certificate configuration.
kubectl apply -f manintheit-certificate.yaml
[tesla@gokicloud ~]$ kubectl get certificate
NAME READY SECRET AGE
manintheit True manintheit-tls 25d
Note:
it was used http
challenge as it is simpler than dns.
kubectl describe certificaterequests.cert-manager.io
...(omitted)
Status:
Conditions:
Last Transition Time: 2022-12-26T19:24:58Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2022-12-26T19:24:59Z
Message: Waiting on certificate issuance from order manintheit/manintheit-bhr9s-828122143: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal cert-manager.io 107s cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Normal OrderCreated 107s cert-manager-certificaterequests-issuer-acme Created Order resource manintheit/manintheit-bhr9s-828122143
Normal OrderPending 107s cert-manager-certificaterequests-issuer-acme Waiting on certificate issuance from order manintheit/manintheit-bhr9s-828122143: ""
kubectl describe orders
...(omitted)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 26s cert-manager-orders Created Challenge resource "manintheit-5wstw-828122143-4061762707" for domain "mail.manintheit.org"
Normal Complete 1s cert-manager-orders Order completed successfully
Certificate must be ready in a namespace defined in the Certificate
resource.
[tesla@gokicloud ~]$ kubectl get secret manintheit-tls
NAME TYPE DATA AGE
manintheit-tls kubernetes.io/tls 2 25d
Experiment:
tesla@gokicloud ~]$ kubectl get secrets manintheit-tls -o jsonpath='{.data.tls\.crt}' | base64 -d - | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:d9:53:42:25:c6:83:74:e5:81:56:40:4e:e3:a9:0a:92:90
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Dec 26 19:17:22 2022 GMT
Not After : Mar 26 19:17:21 2023 GMT
Subject: CN=manintheit.org
...(omitted)
X509v3 Subject Alternative Name:
DNS:archive.manintheit.org, DNS:ghost-admin-panel.manintheit.org, DNS:mail.manintheit.org, DNS:manintheit.org, DNS:www.manintheit.org
Leave a Reply