How to Install Cert-Manager on Kubernetes

Cert-Manager is a highly extensible X.509 certificate controller that is robust enough for Kubernetes and OpenShift environments. It procures certificates from a variety of Issuers, including public as well as private Issuers. The responsibility of the certificate manager is to ensure that the certificates it procures remain valid; it does so by renewing the certificates before the specified period of time ends. Cert-Manager is a member project of the Cloud Native Computing Foundation.

Pre-requisites

• kubectl version >= v1.19.0.
• A supported version of Kubernetes or OpenShift.
• For Kubernetes on a cloud platform, read Compatibility with Kubernetes Platform Providers.

Step 1:  Install Cert-Manager from the release manifest

Cert-Manager and it’s components(CRDs, cainjector and webhook ) are all included in a single YAML manifest and can be installed by running the following command:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.2/cert-manager.yaml

By default, cert-manager will be installed into the cert-manager namespace. It is possible to run cert-manager in a different namespace, although you’ll need to make modifications to the deployment manifests.

Verify the deployment by checking the running pods:

$ kubectl get pods -n cert-manager
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-79559475b4-cz4w5             1/1     Running   0          5m
cert-manager-cainjector-966fc8fbc-jp9nt   1/1     Running   0          5m
cert-manager-webhook-854cf5f458-qzx4k     1/1     Running   0          5m

You should see three pods in the running state, i.e cert-manager, cert-manager-cainjector, and cert-manager-webhook. The webhook might take a little longer to successfully provision than the others, but it should successfully run.

Step 2: Configure ClusterIssuers

Now that you have successfully installed cert-manager in your Kubernetes cluster, it’s time to put to use. The first thing you’ll need to configure is an Issuer or a ClusterIssuer. These are resources that represent certificate authorities (CAs) able to sign certificates in response to certificate signing requests.

For this guide, we’ll be uisng the ACME issuer, with CloudFlare. In order for the ACME CA server to verify that a client owns the domain, or domains, a certificate is being requested for, the client must complete “challenges”. In our case, we’ll be using the DNS01 challenges that are completed by providing a computed key that is present at a DNS TXT record.

For this, you’ll need to obtain a cloudflare-apitoken from your CloudFlare account, and grant it Edit, Zone, and DNS permissions. After obtaining the apitoken, then create an apitoken-secret as follows:

kubectl create secret generic cloudflare-apitoken-secret \
  --namespace cert-manager \
  --from-literal=apitoken='YOU_CLOUDFLARE_API_TOKEN' \
  --dry-run=client -o yaml | kubectl apply -f -

Then create the cluster issuer staging manifest as follows:

sudo tee cluster-issuer-staging.yaml > /dev/null <<'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        cloudflare:
          apiTokenSecretRef:
            key: apitoken
            name: cloudflare-apitoken-secret
      selector:
        dnsZones:
        - example.com
EOF

Replace example.com with your cloudflare hosted domain. Then apply the manifest to create the cluster-issuer:

kubectl apply -f cluster-issuer-staging.yaml

Check that the cluster issuer is in the REDAY state after a few minutes:

$ kubectl get clusterissuers
NAME                  READY   AGE
letsencrypt-staging   True    5m

After confirming that staging created succesfully, you can now create the prod clusterissuer because certs obtained using the staging issuer are not trusted:

sudo tee cluster-issuer-prod.yaml > /dev/null <<'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        cloudflare:
          apiTokenSecretRef:
            key: apitoken
            name: cloudflare-apitoken-secret
      selector:
        dnsZones:
        - example.com
EOF

Then apply the maifest:

kubectl apply -f cluster-issuer-prod.yaml

Check that the production cluster-issuer is created and in the READY state after a few minutes:

$ kubectl get clusterissuers                                                                                                                                                                
NAME                  READY   AGE
letsencrypt-prod      True    3m
letsencrypt-staging   True    8m

These cluster issuer can now be referenced for to obtain TLS certs as follows:

cert-manager.io/cluster-issuer: letsencrypt-prod

That’s it for today folks, see you on the next guide. Adios!

• Install External Secrets Operator on Kubernetes with Helm
• Expose ArgoCD on Kubernetes Using MetalLB and NGINX Ingress
• How To Run VSCode Code Server on Kubernetes using Helm