cert-manager is used for provisioning and managing TLS certificates in Kubernetes automatically.
- Configure the
teracy-dev-entry/config_override.yaml
file with the following similar content:
teracy-dev-k8s:
ansible:
host_vars:
cert_manager_enabled: "True"
and then $ vagrant reload --provision
.
$ kubectl -n cert-manager get pod
should show the similar following output:
NAME READY STATUS RESTARTS AGE
cert-manager-695f7b5bdc-pchmn 1/1 Running 0 14h
-
Make sure to enable and configure
teracy-dev-certs
by following https://github.com/teracyhq-incubator/teracy-dev-entry-k8s/blob/master/config_default.yaml#L50 -
Use the key-pair of
k8s-local-ca.key
andk8s-local-ca.crt
to configure a CA issuer, for example:- Create the key-pair secret:
$ cd workspace/certs $ kubectl -n cert-manager create secret tls ca-key-pair --key=k8s-local-ca.key --cert=k8s-local-ca.crt
- Create the
ca-cluster-issuer
by executing the following commands:
$ cd docs/cert-manager $ kubectl apply -f ca-cluster-issuer.yaml
-
After that,
$ kubectl describe clusterissuers.certmanager.k8s.io ca-cluster-issuer
should show the following similar output:
Name: ca-cluster-issuer
Namespace:
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2018-12-09T11:46:02Z
Generation: 1
Resource Version: 1161130
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/ca-cluster-issuer
UID: 01161972-fba8-11e8-8eea-08002781145e
Spec:
Ca:
Secret Name: ca-key-pair
Status:
Conditions:
Last Transition Time: 2018-12-09T11:46:02Z
Message: Signing CA verified
Reason: KeyPairVerified
Status: True
Type: Ready
Events: <none>
You can now use the ca-cluster-issuer
to generate any certificates by following the docs from
https://cert-manager.readthedocs.io/en/latest/tutorials/ca/creating-ca-issuer.html.
Notes:
-
The
ca-key-pair
secret must be created within thecert-manager
namespace due to this: cert-manager/cert-manager#650 but$ vagrant reload --provision
everytime will delete this created secret. There is a workaround that you need to comment thecert-manager
configuration on theteracy-dev-entry/config_override.yaml
as follows:teracy-dev-k8s: ansible: host_vars: {} # need this empty {} config if host_vars has no values # comment cert_manager_enabled here so that ca-key-pair secret will not be deleted (workaround) # cert_manager_enabled: "True"