Microk8s Cert-manager

From UVOO Tech Wiki
Revision as of 13:39, 23 August 2021 by Busk (talk | contribs) (Busk moved page Microk8s Cert-managet to Microk8s Cert-manager without leaving a redirect )
Jump to navigation Jump to search

Install

https://cert-manager.io/docs/installation/ 

kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
$ curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
$ tar xzf kubectl-cert-manager.tar.gz
$ sudo mv kubectl-cert_manager /usr/local/bin

Verify

https://cert-manager.io/docs/installation/verify/ 

<br />

Options

https://cert-manager.io/docs/installation/helm/ 

 kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.0/cert-manager.crds.yaml

kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces


kubectl delete namespace cert-manager
kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/vX.Y.Z/cert-manager.crds.yaml
kubectl delete apiservice v1beta1.webhook.cert-manager.io # if stuck

<\br> <\br> <\br> <\br> <\br> <\br> <\br>

Other

https://www.reddit.com/r/kubernetes/comments/g3z5sp/microk8s_with_certmanager_and_letsecncrypt/ 

Yes, I got it working today.

Prerequisites: your microk8s cluster MUST be accessible from Internet on port 80 and 443 via domains you need to get certificates for. If you're running microk8s on you home computer it means that you have to set up port forwarding on your home router and domains must resolve to its external IP address.

Enable required addons: ingress is required to perform http01 challenges

microk8s enable helm3 ingress
Install cert-manager and specify Let's Encrypt issuer (will be created later) as default for Ingress resources:

microk8s kubectl create namespace cert-manager
microk8s helm3 repo add jetstack https://charts.jetstack.io
microk8s helm3 repo update
microk8s helm3 install cert-manager jetstack/cert-manager \
  --namespace cert-manager --version v0.15.2 \
  --set installCRDs=true \
  --set ingressShim.defaultIssuerName=letsencrypt-production \
  --set ingressShim.defaultIssuerKind=ClusterIssuer \
  --set ingressShim.defaultIssuerGroup=cert-manager.io
Create production Let's Encrypt issuer (don't forget to change email to yours):

microk8s kubectl apply -f - <<YAML
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    email: CHANGE-ME@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-production-issuer-account-key
    solvers:
    - selector: {}
      http01:
        ingress:
          class: nginx
YAML
AND THAT'S IT!

Now all you need is to specify kubernetes.io/tls-acme: "true" annotation and domain names in tls section of ingress. Like this:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: "example-com-tls-acme"
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: "example-com"
          servicePort: 80
cert-manager will automatically issue certificate and place it into secret named in Ingress. Tested today with microk8s 1.18.4 and cert-manager 0.15.2

https://www.madalin.me/wpk8s/2021/050/microk8s-letsencrypt-cert-manager-https.html

Retrieved from "https://tech.uvoo.io/index.php?title=Microk8s_Cert-manager&oldid=2170"