wiki v1

User Tools

Site Tools

Trace:
cert-manager_install

This is an old revision of the document!

Table of Contents

Cert-manager deployment

$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update jetstack
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
Update Complete. ⎈Happy Helming!
$ helm install cert-manager --namespace cert-manager --create-namespace --version v1.8.0 jetstack/cert-manager
NAME: cert-manager
LAST DEPLOYED: Wed May 25 14:29:27 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.8.0 has been deployed successfully!
 
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
 
More information on the different types of issuers and how to configure them
can be found in our documentation:
 
https://cert-manager.io/docs/configuration/
 
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
 
https://cert-manager.io/docs/usage/ingress/
$ kubectl get crds
NAME                                                  CREATED AT
apiservers.operator.tigera.io                         2022-05-17T12:30:52Z
bgpconfigurations.crd.projectcalico.org               2022-05-17T12:30:51Z
bgppeers.crd.projectcalico.org                        2022-05-17T12:30:51Z
blockaffinities.crd.projectcalico.org                 2022-05-17T12:30:51Z
caliconodestatuses.crd.projectcalico.org              2022-05-17T12:30:51Z
certificaterequests.cert-manager.io                   2022-05-25T17:27:04Z
certificates.cert-manager.io                          2022-05-25T17:27:04Z
challenges.acme.cert-manager.io                       2022-05-25T17:27:04Z
clusterinformations.crd.projectcalico.org             2022-05-17T12:30:51Z
clusterissuers.cert-manager.io                        2022-05-25T17:27:04Z
felixconfigurations.crd.projectcalico.org             2022-05-17T12:30:51Z
globalnetworkpolicies.crd.projectcalico.org           2022-05-17T12:30:51Z
globalnetworksets.crd.projectcalico.org               2022-05-17T12:30:51Z
hostendpoints.crd.projectcalico.org                   2022-05-17T12:30:52Z
imagesets.operator.tigera.io                          2022-05-17T12:30:52Z
installations.operator.tigera.io                      2022-05-17T12:30:52Z
ipamblocks.crd.projectcalico.org                      2022-05-17T12:30:52Z
ipamconfigs.crd.projectcalico.org                     2022-05-17T12:30:52Z
ipamhandles.crd.projectcalico.org                     2022-05-17T12:30:52Z
ippools.crd.projectcalico.org                         2022-05-17T12:30:52Z
ipreservations.crd.projectcalico.org                  2022-05-17T12:30:52Z
issuers.cert-manager.io                               2022-05-25T17:27:04Z
kubecontrollersconfigurations.crd.projectcalico.org   2022-05-17T12:30:52Z
networkpolicies.crd.projectcalico.org                 2022-05-17T12:30:52Z
networksets.crd.projectcalico.org                     2022-05-17T12:30:52Z
orders.acme.cert-manager.io                           2022-05-25T17:27:05Z
tigerastatuses.operator.tigera.io                     2022-05-17T12:30:52Z
$ kubectl get all -n cert-manager
NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-76578c9687-qlmbm              1/1     Running   0          3m42s
pod/cert-manager-cainjector-5c55bb7cb4-p52v8   1/1     Running   0          3m42s
pod/cert-manager-webhook-556f979d7f-r7m6l      1/1     Running   0          3m42s
 
NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   10.96.123.186   <none>        9402/TCP   3m42s
service/cert-manager-webhook   ClusterIP   10.96.195.158   <none>        443/TCP    3m42s
 
NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           3m42s
deployment.apps/cert-manager-cainjector   1/1     1            1           3m42s
deployment.apps/cert-manager-webhook      1/1     1            1           3m42s
 
NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-76578c9687              1         1         1       3m42s
replicaset.apps/cert-manager-cainjector-5c55bb7cb4   1         1         1       3m42s
replicaset.apps/cert-manager-webhook-556f979d7f      1         1         1       3m42s
$ kubectl edit service cert-manager -n cert-manager
$ kubectl edit service cert-manager-webhook -n cert-manager
ipFamilyPolicy: PreferDualStack
  ipFamilies:
  - IPv6
  - IPv4

Certificado de teste - staging

ClusterIssuer-staging.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: gean.martins@juntotelecom.com.br
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
$ kubectl apply -f ClusterIssuer-staging.yaml
clusterissuer.cert-manager.io/letsencrypt-staging created
$ kubectl describe ClusterIssuer letsencrypt-staging
Name:         letsencrypt-staging
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2022-05-27T12:19:42Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:acme:
          .:
          f:email:
          f:privateKeySecretRef:
            .:
            f:name:
          f:server:
          f:solvers:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-05-27T12:19:42Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:acme:
          .:
          f:lastRegisteredEmail:
          f:uri:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:         cert-manager-clusterissuers
    Operation:       Update
    Subresource:     status
    Time:            2022-05-27T12:19:43Z
  Resource Version:  2474068
  UID:               5db6c5e6-de28-4d21-9f21-1e17bdaca603
Spec:
  Acme:
    Email:            gean.martins@juntotelecom.com.br
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt-staging
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
Status:
  Acme:
    Last Registered Email:  gean.martins@juntotelecom.com.br
    Uri:                    https://acme-staging-v02.api.letsencrypt.org/acme/acct/55465934
  Conditions:
    Last Transition Time:  2022-05-27T12:19:43Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Certificado de produção - production

ClusterIssuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: gean.martins@juntotelecom.com.br
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-production
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
$ kubectl apply -f ClusterIssuer-prod.yaml
clusterissuer.cert-manager.io/letsencrypt-prod created
$ kubectl describe ClusterIssuer letsencrypt-prod
Name:         letsencrypt-prod
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2022-05-27T12:28:27Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:acme:
          .:
          f:email:
          f:privateKeySecretRef:
            .:
            f:name:
          f:server:
          f:solvers:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-05-27T12:28:27Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:acme:
          .:
          f:lastRegisteredEmail:
          f:uri:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:         cert-manager-clusterissuers
    Operation:       Update
    Subresource:     status
    Time:            2022-05-27T12:28:29Z
  Resource Version:  2475725
  UID:               f9686b3d-5824-444e-b12b-525c542c7b01
Spec:
  Acme:
    Email:            gean.martins@juntotelecom.com.br
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt-production
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      http01:
        Ingress:
          Class:  nginx
Status:
  Acme:
    Last Registered Email:  gean.martins@juntotelecom.com.br
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/562203266
  Conditions:
    Last Transition Time:  2022-05-27T12:28:29Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Referências

  1. Usar certificados com LetsEncrypt.org no Gateway de Aplicativo para clusters do AKS
  2. Acquire SSL Certificates In Kubernetes From Let’s Encrypt With Cert-Manager
  3. K8S: Instalando Cert-Manager e issuers LetsEncrypt
cert-manager_install.1753560543.txt.gz · Last modified: by wikiadm