cert-manager

Deploy cert-manager with bitnami’s helm chart to generate TLS certificates and provides helpers to create some ClusterIssuers.

Usage with Kubernetes

Read k8s-install.sh and run :

bash k8s-install.sh

Note that the following ClusterIssuer are automatically created by this script :

• selfsigned
• mkcert (if mkcert is installed on your machine)

You can follow instructions providing links to the documentation to configure Issuers and ClusterIssuers and Ingress resources.

Ingress example

See whoami/k8s-install.sh :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami
  annotations:
    cert-manager.io/cluster-issuer: "mkcert"
spec:
  ingressClassName: nginx
  rules:
  - host: whoami.dev.localhost
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: whoami
            port:
              number: 80
  tls:
  - hosts:
    - whoami.dev.localhost
    # this secret will be generated by cert-manager
    secretName: whoami-cert

Some ClusterIssuers

selfsigned

The “selfsigned” ClusterIssuer is adapted from cert-manager.io - Bootstrapping CA Issuers.

• See cluster-issuer/selfsigned.yml.
• Retrieve the corresponding PEM certificate :

#  Get CA cert as ~/devbox-selfsigned-ca.pem :
kubectl -n cert-manager get secret devbox-selfsigned-ca \
  -o jsonpath='{.data.ca\.crt}' | base64 -d  > ~/devbox-selfsigned-ca.pem

# Display infos :
cat ~/devbox-selfsigned-ca.pem | openssl x509 -text -noout

• Note that you may import the “devbox-selfsigned-ca.pem” file as a trusted CA in a DEV browser.

mkcert

The cluster-issuer/mkcert.sh helper script allows to :

• Import ${MKCERT_CAROOT}/rootCA.pem and ${MKCERT_CAROOT}/rootCA-key.pem as a secret mkcert-ca in the “cert-manager” namespace.
• Create the corresponding “mkcert” ClusterIssuer

Ensure that mkcert is available with an initialized rootCA (mkcert -install) and run :

# invoked by k8s-install.sh if mkcert is available
bash cluster-issuer/mkcert.sh

letsencrypt-http

cluster-issuer/letsencrypt-http.sh helpers to create a “letsencrypt-http” ClusterIssuer :

bash cluster-issuer/letsencrypt-http.sh <CONTACT_EMAIL>

It relies on letsencrypt.org - LetsEncrypt HTTP01 challenge to generate certificates.

letsencrypt-cloudflare

The cluster-issuer/letsencrypt-cloudflare.sh helper script allows to create a “letsencrypt-cloudflare” ClusterIssuer :

export CLOUDFLARE_EMAIL=...
export CLOUDFLARE_API_KEY=...
bash cluster-issuer/letsencrypt-cloudflare.sh

It relies on the letsencrypt.org - LetsEncrypt DNS01 challenge to generate certificates, using the Cloudflare API to configure the required TXT records.

Troubleshooting

# follow controller's logs
kubectl -n cert-manager logs $(kubectl -n cert-manager get pods -l app.kubernetes.io/component=controller -o name) -f

Resources

• cert-manager - Documentation
• bitnami.com - cert-manager packaged by Bitnami helm charts
• cert-manager.io - Bootstrapping CA Issuers