cert-manager

Deploy cert-manager and provides helpers to create some ClusterIssuers :

• selfsigned : the default value for DEVBOX_ISSUER, automatically created by the install script.
• mkcert (not the default one as it might be dangerous, see mkcert - #377)
• letsencrypt-http (email required)
• letsencrypt-cloudflare (cloudflare managed DNS required)

Usage with Kubernetes

• Read k8s-install.sh and run :

bash k8s-install.sh

• Ensure that the selfsigned is created :

kubectl get clusterissuers

Configure the devbox ClusterIssuer

If you want to use the selfsigned ClusterIssuer, see the doc bellow to extract and import the corresponding CA in your browser.

It you want to use another ClusterCluster bellow like letsencrypt-http, configure the corresponding environment variable DEVBOX_ISSUER=letsencrypt-http before using k8s-install.sh scripts.

Available ClusterIssuers

selfsigned

adapted from cert-manager.io - Bootstrapping CA Issuers.

• See cluster-issuer/selfsigned.yml.
• Retrieve the corresponding PEM certificate :

#  Get CA cert as ~/devbox-selfsigned-ca.pem :
kubectl -n cert-manager get secret devbox-selfsigned-ca \
  -o jsonpath='{.data.ca\.crt}' | base64 -d  > devbox-selfsigned-ca.pem

# Display infos :
cat devbox-selfsigned-ca.pem | openssl x509 -text -noout

• Note that you may import the “devbox-selfsigned-ca.pem” file as a trusted CA in a DEV browser.

mkcert

The cluster-issuer/mkcert.sh helper script allows to :

• Import ${MKCERT_CAROOT}/rootCA.pem and ${MKCERT_CAROOT}/rootCA-key.pem as a secret mkcert-ca in the “cert-manager” namespace.
• Create the corresponding “mkcert” ClusterIssuer

Ensure that mkcert is available with an initialized rootCA (mkcert -install) and run :

# invoked by k8s-install.sh if mkcert is available
bash cluster-issuer/mkcert.sh

letsencrypt-http

To create the “letsencrypt-http” ClusterIssuer, read cluster-issuer/letsencrypt-http.sh and run :

bash cluster-issuer/letsencrypt-http.sh <CONTACT_EMAIL>

!!!info “How it works?” See letsencrypt.org - LetsEncrypt HTTP01

letsencrypt-cloudflare

To create a “letsencrypt-cloudflare” ClusterIssuer, read cluster-issuer/letsencrypt-cloudflare.sh and run :

export CLOUDFLARE_EMAIL=...
# see https://dash.cloudflare.com/profile/api-tokens
export CLOUDFLARE_API_TOKEN=...
bash cluster-issuer/letsencrypt-cloudflare.sh

!!!info “How it works?” See letsencrypt.org - LetsEncrypt DNS01 and note the Cloudflare API is called to configure the required TXT records.

Ingress example

See whoami/k8s-install.sh :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami
  annotations:
    cert-manager.io/cluster-issuer: "mkcert"
spec:
  ingressClassName: traefik
  rules:
  - host: whoami.dev.localhost
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: whoami
            port:
              number: 80
  tls:
  - hosts:
    - whoami.dev.localhost
    # this secret will be generated by cert-manager
    secretName: whoami-cert

Troubleshooting

# follow controller's logs
kubectl -n cert-manager logs $(kubectl -n cert-manager get pods -l app.kubernetes.io/component=controller -o name) -f

Resources

• cert-manager - Documentation
• cert-manager.io - installation - helm
• cert-manager.io - Bootstrapping CA Issuers