2. Cert-Manager
Cert-manager is a Kubernetes controller, which means that it is a piece of software that runs in your Kubernetes cluster and watches for certain events. In the case of cert-manager, it watches for events related to certificates. When it sees an event that it is interested in, it takes action to manage the certificate.
For example, if cert-manager sees that a certificate is about to expire, it will automatically renew the certificate. Or, if cert-manager sees that a certificate is no longer needed, it will automatically delete the certificate.
Cert-manager is a powerful tool that can help you to simplify the management of TLS certificates in Kubernetes. It can help you to avoid outages caused by expired certificates, and it can help you to improve the security of your applications.
Here are some of the benefits of using cert-manager:
Automates the management of TLS certificates: Cert-manager automates the process of obtaining, renewing, and using TLS certificates. This can save you time and effort, and it can help to prevent errors.
Supports a variety of certificate issuers: Cert-manager supports a variety of certificate issuers, including Let’s Encrypt, HashiCorp Vault, and Venafi. This gives you flexibility in choosing the certificate issuer that best meets your needs.
Ensures certificates are valid and up-to-date: Cert-manager ensures that certificates are valid and up-to-date. This helps to prevent outages caused by expired certificates.
Can be used with a variety of Kubernetes workloads: Cert-manager can be used with a variety of Kubernetes workloads, including Ingress controllers, services, and pods. This makes it a versatile tool that can be used to secure a wide range of applications.
If you are looking for a way to simplify the management of TLS certificates in Kubernetes, then cert-manager is a good option to consider. It is a powerful and flexible tool that can help you to improve the security of your applications.
Please make sure to visit the Cert-Manager official documentation page to study more.
Getting started after deploying cert-manager
Please refer to this document to connect your kubernetes cluster.
Once you have set up your cluster using kubectl, proceed with executing the following commands.
helm repo add jetstack https://charts.jetstack.io
helm repo update
How to confirm that Cert-Manager is running
helm ls -n cert-manager
Next, verify if Cert-manager pods are up and running:
kubectl get pods -n cert-manager
Tweaking Helm Chart Values
The cert-manager stack provides some custom values to start with. Please have a look at the values file from the main GitHub repository (explanations are provided inside, where necessary).
You can always inspect all the available options, as well as the default values for the cert-manager Helm chart by running below command:
helm show values jetstack/cert-manager --version 1.12.0
After tweaking the Helm values file (values.yml) according to your needs, you can always apply the changes via helm upgrade command, as shown below:
helm upgrade cert-manager jetstack/cert-manager --version 1.12.0
--namespace cert-manager --values values.yml
Configuring TLS certificates via Cert-manager
Cert-Manager expects some typical CRDs to be created in order to operate. You start by creating a certificate Issuer CRD. Next, the Issuer CRD will try to fetch a valid TLS certificate for your Ingress Controller (e.g. Nginx) from a known authority, such as Let’s Encrypt. To accomplish this task, the Issuer is using the HTTP-01 challenge (it also knows how to perform DNS-01 challenges as well, for wildcard certificates).
Next, a Certificate CRD is needed to store the actual certificate. The Certificate CRD doesn’t work alone, and needs a reference to an Issuer CRD to be able to fetch the real certificate from the CA (Certificate Authority).
Typical Issuer manifest looks like below (explanations for each relevant field is provided inline):
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-nginx
namespace: backend
spec:
# ACME issuer configuration
# `email` - the email address to be associated with the ACME account (make sure it's a valid one)
# `server` - the URL used to access the ACME server’s directory endpoint
# `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key
acme:
email: <YOUR_VALID_EMAIL_ADDRESS_HERE>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-nginx-private-key
solvers:
# Use the HTTP-01 challenge provider
- http01:
ingress:
class: nginx
Next, you need to configure each Nginx ingress resource to use TLS termination. Typical manifest looks like below:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-echo
namespace: backend
annotations:
cert-manager.io/issuer: letsencrypt-nginx
spec:
tls:
- hosts:
- echo.my-domain.org
secretName: letsencrypt-nginx
rules:
- host: echo.my-domain.org
…
Explanation for the above configuration:
cert-manager.io/issuer: Annotation that takes advantage of cert-manager ingress-shim to create the certificate resource on your behalf.
spec.tls.hosts: List of hosts included in the TLS certificate.
spec.tls.secretName: Name of the secret used to terminate TLS traffic on port 443.
Notice that the Nginx Ingress Controller is able to generate the Certificate CRD automatically via a special annotation: cert-manager.io/issuer. This saves work and time, because you don’t have to create and maintain a separate manifest for certificates as well (only the Issuer manifest is required). For other ingresses you may need to provide the Certificate CRD as well.
Upgrading Cert-manager Stack
You can check what versions are available to upgrade, by navigating to the cert-manager official releases page from GitHub. Alternatively, you can also use ArtifactHUB, which provides a more rich and user friendly interface.
helm upgrade cert-manager jetstack/cert-manager --version <CERT_MANAGER_NEW_VERSION>
--namespace cert-manager --values <YOUR_HELM_VALUES_FILE>
Please make sure you replace <CERT_MANAGER_NEW_VERSION> with the version of your choice and <YOUR_HELM_VALUES_FILE> with the file name you want to upgrade.
See helm upgrade for command documentation.
Also, please make sure to check the official recommendations for various upgrade paths, from an existing release to a new major version of cert-manager.
Uninstalling Cert-manager Stack
helm uninstall cert-manager -n cert-manager
Note: The above command will delete all the kubernetes resources installed by cert-manager helm chart except the namespace. To delete the namespace you have to run the following command
kubectl delete ns cert-manager