Automatically create CA Certificates for Ingress Resources using Cert-Manager

A Go program to automatically configure Ingress resources to use TLS Certificates generated by JetStack's Cert-Manager.

Motivation

JetStack's Cert-Manager is great for generating sub-level domain TLS Certificates from a Certificate Authority. However, one has to manually update all Ingress resources to allow cert-manager to create certificates for them.

Usage

It is at best used in conjunction with JetStack's Cert-Manager. Thus this is the complete approach:

1. Install JetStack's Cert-Manager

kubectl create namespace cert-manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.1.0 \
  --set installCRDs=true
  --set prometheus.enabled=true \
  --set prometheus.servicemonitor.enabled=true

2. Add your CA files as tls secrets to the cert-manager namespace

# Creating crt chain file
# replace with your CA files
cat subsub.sub.domain.deCA.crt sub.domain.deCA.crt sub.domain.deCA.pem > subsub_chain.pem

3. Add your CA files as tls secrets to the cert-manager namespace

kubectl create secret tls subsub-ca \
  --cert=subsub_chain.pem \
  --key=UnprotectedPrivateKeyOfSubsubCA.key \
  -n=cert-manager

4. Create a ClusterIssuer for the Subsub CA Save as cluster-issuer.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: subsub-cluster-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: subsub-ca

kubectl -n cert-manager apply -f ./cluster-issuer.yaml

5. Download neutryno/cert-manager-automatic-ingress-certificate-generator deployment.yaml

wget "https://raw.githubusercontent.com/neutryno/cert-manager-automatic-ingress-certificate-generator/master/deployment/deployment.yaml"

6. Change CLUSTER_ISSUERS, CLUSTER_ISSUER_#_REGEX environment variables in deployment/deployment.yaml. Environment variable CLUSTER_ISSUERS should hold the names of all your cert-manager ClusterIssuers as a comma separated string. Environment variable CLUSTER_ISSUER_1_REGEX must exist with a RegEx string as value for the first ClusterIssuer in the CLUSTER_ISSUERS value (RegEx escapes must be escaped a second time for kubernetes!). For every additional ClusterIssuer in the CLUSTER_ISSUERS envirnoment variable, another environment variable with name CLUSTER_ISSUER_2_REGEX, CLUSTER_ISSUER_3_REGEX and so forth must exist. Their values holds the RegEx for the second, third, ... ClusterIssuer in CLUSTER_ISSUERS.

7. Install neutryno/cert-manager-automatic-ingress-certificate-generator

kubectl apply -f https://raw.githubusercontent.com/neutryno/imagepullsecret-serviceaccount-patcher/master/deployment/rbac.yaml
kubectl apply -f ./deployment.yaml # your editted deployment.yaml

Test

go test

Build & Publish

GOOS=linux go build -o ./dist/app .
docker build . -t neutryno/cert-manager-automatic-ingress-certificate-generator
docker push neutryno/cert-manager-automatic-ingress-certificate-generator