Introduction:
In the realm of Kubernetes, managing SSL/TLS certificates can be a daunting task, especially as your infrastructure scales. Handling certificate issuance, renewal, and rotation across various services and applications requires precision and automation. This is where cert-manager, a popular Kubernetes certificate management controller, comes into play. In this guide, we’ll explore how to leverage cert-manager along with Helm, Kubernetes’ package manager, to streamline certificate management within your cluster.
What is cert-manager?
Cert-manager is a Kubernetes add-on that simplifies the process of managing X.509 certificates. It automates the issuance, renewal, and revocation of certificates, integrating seamlessly with various certificate authorities (CAs) such as Let’s Encrypt, Venafi, and more. Cert-manager utilizes Custom Resource Definitions (CRDs) to define certificate configurations, making it easy to manage certificates as Kubernetes resources.
Why Use Helm?
Helm is Kubernetes’ package manager, allowing you to define, install, and manage Kubernetes applications using pre-configured package charts. Leveraging Helm simplifies the deployment and management of complex applications, reducing manual intervention and ensuring consistency across environments. Integrating cert-manager with Helm further streamlines the certificate management process, enabling you to define certificate configurations alongside your application deployments.
Installing cert-manager with Helm
To begin, ensure you have Helm installed in your Kubernetes cluster. Once Helm is set up, follow these steps to install cert-manager:
1. Add cert-manager Helm repository:
helm repo add jetstack https://charts.jetstack.io
helm repo update
2. Install cert-manager:
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.5.3 --set installCRDs=true
3. After Verify Cert-Manager Installation:
kubectl get pods --namespace cert-manager
4. Define a ClusterIssuer:
Next, let’s define a ClusterIssuer resource to specify how Cert-Manager should obtain TLS certificates. We’ll use Let’s Encrypt as the certificate issuer in this example.
Create a file named cluster-issuer.yaml
with the following content:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Apply the ClusterIssuer to your cluster:
kubectl apply -f cluster-issuer.yaml
5. Define a Certificate Resource:
Now, let’s define a Certificate resource to request a TLS certificate for your domain.
Create a file named certificate.yaml
with the following content:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
Apply the Certificate to your cluster:
kubectl apply -f certificate.yaml
Look for the Status
section to see if the certificate has been issued and stored in the specified Secret (example-com-tls
).
Conclusion:
Congratulations! You’ve successfully installed Cert-Manager in your Kubernetes cluster and obtained a TLS certificate for your domain. With Cert-Manager, you can automate the management of TLS certificates, ensuring secure communication for your applications effortlessly.