A Go program to automatically configure Ingress resources to use TLS Certificates generated by JetStack's Cert-Manager.
JetStack's Cert-Manager is great for generating sub-level domain TLS Certificates from a Certificate Authority. However, one has to manually update all Ingress resources to allow cert-manager to create certificates for them.
It is at best used in conjunction with JetStack's Cert-Manager. Thus this is the complete approach:
- Install JetStack's Cert-Manager
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.1.0 \
--set installCRDs=true
--set prometheus.enabled=true \
--set prometheus.servicemonitor.enabled=true
- Add your CA files as tls secrets to the cert-manager namespace
# Creating crt chain file
# replace with your CA files
cat subsub.sub.domain.deCA.crt sub.domain.deCA.crt sub.domain.deCA.pem > subsub_chain.pem
- Add your CA files as tls secrets to the cert-manager namespace
kubectl create secret tls subsub-ca \
--cert=subsub_chain.pem \
--key=UnprotectedPrivateKeyOfSubsubCA.key \
-n=cert-manager
- Create a ClusterIssuer for the Subsub CA
Save as
cluster-issuer.yaml
:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: subsub-cluster-issuer
namespace: cert-manager
spec:
ca:
secretName: subsub-ca
kubectl -n cert-manager apply -f ./cluster-issuer.yaml
- Download neutryno/cert-manager-automatic-ingress-certificate-generator deployment.yaml
wget "https://raw.githubusercontent.com/neutryno/cert-manager-automatic-ingress-certificate-generator/master/deployment/deployment.yaml"
-
Change
CLUSTER_ISSUERS
,CLUSTER_ISSUER_#_REGEX
environment variables indeployment/deployment.yaml
. Environment variableCLUSTER_ISSUERS
should hold the names of all your cert-manager ClusterIssuers as a comma separated string. Environment variableCLUSTER_ISSUER_1_REGEX
must exist with a RegEx string as value for the first ClusterIssuer in theCLUSTER_ISSUERS
value (RegEx escapes must be escaped a second time for kubernetes!). For every additional ClusterIssuer in theCLUSTER_ISSUERS
envirnoment variable, another environment variable with nameCLUSTER_ISSUER_2_REGEX
,CLUSTER_ISSUER_3_REGEX
and so forth must exist. Their values holds the RegEx for the second, third, ... ClusterIssuer inCLUSTER_ISSUERS
. -
Install neutryno/cert-manager-automatic-ingress-certificate-generator
kubectl apply -f https://raw.githubusercontent.com/neutryno/imagepullsecret-serviceaccount-patcher/master/deployment/rbac.yaml
kubectl apply -f ./deployment.yaml # your editted deployment.yaml
go test
GOOS=linux go build -o ./dist/app .
docker build . -t neutryno/cert-manager-automatic-ingress-certificate-generator
docker push neutryno/cert-manager-automatic-ingress-certificate-generator