[Kubernetes (K8S)] Helm install cert-manager within Kubernetes (K8S)

Posted on Edited on In , , Views: Word count in article: 4.5k Reading time ≈ 4 mins.

helm-cert-manager-example

cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.

You can modify it and use cert-manager. There is some examplesabout installing it with Helm in the article.

Prerequisites

  • Kubernetes (K8S)
    Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications.

  • Helm
    Helm is the best way to find, share, and use software built for Kubernetes.

How to Install

1
2
3
4
# git clone example and cert-manager.
$ git clone --recursive https://github.com/CloudoLife/helm-cert-manager-example

$ cd helm-cert-manager-example

Custom Values.yaml

Edit values.yaml in helm-cert-manager-example directory, and replace content within < and >.

1
2
3
4
5
6
7
# cat values.yaml


# cert-manager/values.yaml at master · jetstack/cert-manager
# https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml

installCRDs: true

Install by Helm

Helm install cert-manager within cert-manager namespace. Please create cert-manager namespace first if not exist.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# crate namespace:
$ kubectl create namespace cert-manager

# Add the Jetstack Helm repository:
$ helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache:
$ helm repo update

# crate namespace:
$ kubectl create namespace cert-manager

# To install the cert-manager Helm chart:
$ helm install cert-manager jetstack/cert-manager --namespace cert-manager -f values.yaml

See Helm release about cert-manager.

1
2
3
$ helm list --namespace cert-manager
NAME                       	NAMESPACE   	REVISION	UPDATED                               	STATUS  	CHART                            	APP VERSION
cert-manager               	cert-manager	1       	2020-09-12 11:24:36.704126 +0800 +0800	deployed	cert-manager-v1.0.2              	v1.0.2

See pods about cert-manager.

1
2
3
4
5
$ kubectl get pods -n cert-manager
NAME                                           READY   STATUS    RESTARTS   AGE
cert-manager-57b65b7fc-dczgc                   1/1     Running   5          13d
cert-manager-cainjector-5f988f74c6-9ll6k       1/1     Running   5          13d
cert-manager-webhook-7cf554f879-ktkmg          1/1     Running   3          13d

ClusterIssuer or Issuer Examples

HTTP01 with Ingress-nginx

ClusterIssuer-letsencrypt-staging.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# manifests/ClusterIssuer-letsencrypt-staging.yaml

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging-secret
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
1
$ kubectl apply -f manifests/ClusterIssuer-letsencrypt-staging.yaml

ClusterIssuer-letsencrypt-prod.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# manifests/ClusterIssuer-letsencrypt-prod.yaml
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-production-secret
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
1
$ kubectl apply -f manifests/ClusterIssuer-letsencrypt-production.yaml

Check ClusterIssuer status.

1
2
3
4
$ kubectl get ClusterIssuer
NAME                  READY   AGE
letsencrypt-prod      True    121m
letsencrypt-staging   True    5h56m

See HTTP01 | cert-manager - https://cert-manager.io/docs/configuration/acme/http01/ to learn more.

FAQs

Failed to register ACME account: 400 urn:ietf:params:acme:error:invalidEmail: Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden

1
2
3
...
    Message:               Failed to register ACME account: 400 urn:ietf:params:acme:error:invalidEmail: Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden
...

Update [email protected] with other valid email address to fix that issue.

1
2
3
4
5
6
7
8
9
10
# ClusterIssuer-letsencrypt-xxx.yaml

spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
-    email: [email protected]
+    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory

References

[1] CloudoLife/helm-cert-manager-example: Examples about Helm install cert-manager. https://github.com/CloudoLife/helm-cert-manager-example - https://github.com/CloudoLife/helm-cert-manager-example

[2] cert-manager - https://cert-manager.io/

[3] Helm - https://helm.sh/

[4] Kubernetes - https://kubernetes.io/