====== Cert-manager deployment ======
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update jetstack
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm install cert-manager --namespace cert-manager --create-namespace --version v1.8.0 jetstack/cert-manager
NAME: cert-manager
LAST DEPLOYED: Wed May 25 14:29:27 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.8.0 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
$ kubectl get crds
NAME CREATED AT
apiservers.operator.tigera.io 2022-05-17T12:30:52Z
bgpconfigurations.crd.projectcalico.org 2022-05-17T12:30:51Z
bgppeers.crd.projectcalico.org 2022-05-17T12:30:51Z
blockaffinities.crd.projectcalico.org 2022-05-17T12:30:51Z
caliconodestatuses.crd.projectcalico.org 2022-05-17T12:30:51Z
certificaterequests.cert-manager.io 2022-05-25T17:27:04Z
certificates.cert-manager.io 2022-05-25T17:27:04Z
challenges.acme.cert-manager.io 2022-05-25T17:27:04Z
clusterinformations.crd.projectcalico.org 2022-05-17T12:30:51Z
clusterissuers.cert-manager.io 2022-05-25T17:27:04Z
felixconfigurations.crd.projectcalico.org 2022-05-17T12:30:51Z
globalnetworkpolicies.crd.projectcalico.org 2022-05-17T12:30:51Z
globalnetworksets.crd.projectcalico.org 2022-05-17T12:30:51Z
hostendpoints.crd.projectcalico.org 2022-05-17T12:30:52Z
imagesets.operator.tigera.io 2022-05-17T12:30:52Z
installations.operator.tigera.io 2022-05-17T12:30:52Z
ipamblocks.crd.projectcalico.org 2022-05-17T12:30:52Z
ipamconfigs.crd.projectcalico.org 2022-05-17T12:30:52Z
ipamhandles.crd.projectcalico.org 2022-05-17T12:30:52Z
ippools.crd.projectcalico.org 2022-05-17T12:30:52Z
ipreservations.crd.projectcalico.org 2022-05-17T12:30:52Z
issuers.cert-manager.io 2022-05-25T17:27:04Z
kubecontrollersconfigurations.crd.projectcalico.org 2022-05-17T12:30:52Z
networkpolicies.crd.projectcalico.org 2022-05-17T12:30:52Z
networksets.crd.projectcalico.org 2022-05-17T12:30:52Z
orders.acme.cert-manager.io 2022-05-25T17:27:05Z
tigerastatuses.operator.tigera.io 2022-05-17T12:30:52Z
$ kubectl get all -n cert-manager
NAME READY STATUS RESTARTS AGE
pod/cert-manager-76578c9687-qlmbm 1/1 Running 0 3m42s
pod/cert-manager-cainjector-5c55bb7cb4-p52v8 1/1 Running 0 3m42s
pod/cert-manager-webhook-556f979d7f-r7m6l 1/1 Running 0 3m42s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.96.123.186 9402/TCP 3m42s
service/cert-manager-webhook ClusterIP 10.96.195.158 443/TCP 3m42s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 3m42s
deployment.apps/cert-manager-cainjector 1/1 1 1 3m42s
deployment.apps/cert-manager-webhook 1/1 1 1 3m42s
NAME DESIRED CURRENT READY AGE
replicaset.apps/cert-manager-76578c9687 1 1 1 3m42s
replicaset.apps/cert-manager-cainjector-5c55bb7cb4 1 1 1 3m42s
replicaset.apps/cert-manager-webhook-556f979d7f 1 1 1 3m42s
$ kubectl edit service cert-manager -n cert-manager
$ kubectl edit service cert-manager-webhook -n cert-manager
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv6
- IPv4
===== Certificado de teste - staging =====
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: gean.martins@juntotelecom.com.br
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
$ kubectl apply -f ClusterIssuer-staging.yaml
clusterissuer.cert-manager.io/letsencrypt-staging created
$ kubectl describe ClusterIssuer letsencrypt-staging
Name: letsencrypt-staging
Namespace:
Labels:
Annotations:
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2022-05-27T12:19:42Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:acme:
.:
f:email:
f:privateKeySecretRef:
.:
f:name:
f:server:
f:solvers:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-05-27T12:19:42Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:acme:
.:
f:lastRegisteredEmail:
f:uri:
f:conditions:
.:
k:{"type":"Ready"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
Manager: cert-manager-clusterissuers
Operation: Update
Subresource: status
Time: 2022-05-27T12:19:43Z
Resource Version: 2474068
UID: 5db6c5e6-de28-4d21-9f21-1e17bdaca603
Spec:
Acme:
Email: gean.martins@juntotelecom.com.br
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-staging
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Last Registered Email: gean.martins@juntotelecom.com.br
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/55465934
Conditions:
Last Transition Time: 2022-05-27T12:19:43Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events:
===== Certificado de produção - production =====
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: gean.martins@juntotelecom.com.br
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-production
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
$ kubectl apply -f ClusterIssuer-prod.yaml
clusterissuer.cert-manager.io/letsencrypt-prod created
$ kubectl describe ClusterIssuer letsencrypt-prod
Name: letsencrypt-prod
Namespace:
Labels:
Annotations:
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2022-05-27T12:28:27Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:acme:
.:
f:email:
f:privateKeySecretRef:
.:
f:name:
f:server:
f:solvers:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-05-27T12:28:27Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:acme:
.:
f:lastRegisteredEmail:
f:uri:
f:conditions:
.:
k:{"type":"Ready"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
Manager: cert-manager-clusterissuers
Operation: Update
Subresource: status
Time: 2022-05-27T12:28:29Z
Resource Version: 2475725
UID: f9686b3d-5824-444e-b12b-525c542c7b01
Spec:
Acme:
Email: gean.martins@juntotelecom.com.br
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-production
Server: https://acme-v02.api.letsencrypt.org/directory
Solvers:
http01:
Ingress:
Class: nginx
Status:
Acme:
Last Registered Email: gean.martins@juntotelecom.com.br
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/562203266
Conditions:
Last Transition Time: 2022-05-27T12:28:29Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events:
===== Referências =====
- [[https://docs.microsoft.com/pt-br/azure/application-gateway/ingress-controller-letsencrypt-certificate-application-gateway|Usar certificados com LetsEncrypt.org no Gateway de Aplicativo para clusters do AKS]]
- [[https://www.thinktecture.com/en/kubernetes/ssl-certificates-with-cert-manager-in-kubernetes/|Acquire SSL Certificates In Kubernetes From Let’s Encrypt With Cert-Manager]]
- [[https://gutocarvalho.net/instalando-cert-manager-no-k8s/|K8S: Instalando Cert-Manager e issuers LetsEncrypt]]