-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upgrade
cert-manager
to the latest version
The older version we used had a too old version of the ACME client, which has been blocked due to excessive calls.
- Loading branch information
1 parent
11726e3
commit 8af74c2
Showing
12 changed files
with
146 additions
and
177 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
# Certificate manager | ||
|
||
I'm using [cert-manager](https://github.com/jetstack/cert-manager) to automatically get SSL certificates for our ingresses. I configure the certificate manager to use Lets Encrypt as certificate issuer. | ||
|
||
|
||
## Installation | ||
|
||
We use Helm 3 to install cert-manager: | ||
|
||
``` | ||
$ kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml | ||
$ kubectl create namespace cert-manager | ||
$ helm repo add jetstack https://charts.jetstack.io | ||
$ helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.12.0 --values helm-values.yaml | ||
$ kubectl apply -f issuers.yaml | ||
``` | ||
|
||
For any future upgrades, this command can be used: | ||
|
||
``` | ||
$ helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --version v0.12.0 --values helm-values.yaml | ||
``` | ||
|
||
Note: I've disabled the `webhook` component, because I didn't get it to work properly. It's not recommended, but it's viable option. Read more [here](https://cert-manager.io/docs/installation/compatibility/#disabling-webhook). | ||
|
||
|
||
## Using it | ||
|
||
To use dynamic SSL certificates, you create `Certificate` resources. These resources will in turn generate `Secret` resources that you can use in your tls-configuration. Here is an example: | ||
|
||
```yaml | ||
--- | ||
kind: Certificate | ||
apiVersion: cert-manager.io/v1alpha2 | ||
metadata: | ||
name: some-service | ||
namespace: test | ||
spec: | ||
secretName: some-service-certificate | ||
dnsNames: | ||
- some-external-domain.com | ||
issuerRef: | ||
name: letsencrypt | ||
kind: ClusterIssuer | ||
group: cert-manager.io | ||
|
||
--- | ||
kind: Ingress | ||
apiVersion: networking.k8s.io/v1beta1 | ||
metadata: | ||
name: some-service | ||
namespace: test | ||
labels: | ||
app.kubernetes.io/name: some-service | ||
annotations: | ||
kubernetes.io/ingress.class: external | ||
spec: | ||
rules: | ||
- host: some-external-domain.com | ||
http: | ||
paths: | ||
- path: / | ||
backend: | ||
serviceName: some-service | ||
servicePort: 8080 | ||
tls: | ||
- secretName: some-service-certificate | ||
hosts: | ||
- some-external-domain.com | ||
``` | ||
|
||
|
||
### Issuers | ||
|
||
I have the following cluster issuers: | ||
|
||
* `letsencrypt` | ||
* `letsencrypt-staging` (useful only for testing cert-manager upgrades and similar) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
webhook: | ||
enabled: false | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
--- | ||
kind: ClusterIssuer | ||
apiVersion: cert-manager.io/v1alpha2 | ||
metadata: | ||
name: letsencrypt-staging | ||
spec: | ||
acme: | ||
server: https://acme-staging-v02.api.letsencrypt.org/directory | ||
email: hello@anton-johansson.com | ||
privateKeySecretRef: | ||
name: letsencrypt-staging | ||
solvers: | ||
- http01: | ||
ingress: | ||
class: external | ||
|
||
--- | ||
kind: ClusterIssuer | ||
apiVersion: cert-manager.io/v1alpha2 | ||
metadata: | ||
name: letsencrypt | ||
spec: | ||
acme: | ||
server: https://acme-v02.api.letsencrypt.org/directory | ||
email: hello@anton-johansson.com | ||
privateKeySecretRef: | ||
name: letsencrypt | ||
solvers: | ||
- http01: | ||
ingress: | ||
class: external |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
kind: Certificate | ||
apiVersion: cert-manager.io/v1alpha2 | ||
metadata: | ||
name: home-assistant | ||
namespace: home-assistant | ||
labels: | ||
app.kubernetes.io/name: home-assistant | ||
spec: | ||
secretName: home-assistant-certificate | ||
dnsNames: | ||
- home.anton-johansson.com | ||
issuerRef: | ||
name: letsencrypt | ||
kind: ClusterIssuer | ||
group: cert-manager.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
kind: Certificate | ||
apiVersion: cert-manager.io/v1alpha2 | ||
metadata: | ||
name: grafana | ||
namespace: grafana | ||
labels: | ||
app.kubernetes.io/name: grafana | ||
spec: | ||
secretName: grafana-certificate | ||
dnsNames: | ||
- grafana.anton-johansson.com | ||
issuerRef: | ||
name: letsencrypt | ||
kind: ClusterIssuer | ||
group: cert-manager.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters