Cert-Manager
Cert-Manager gives you free SSL certificates. Who doesn't like that?
It basically uses Let's Encrypt to encapsulate all the logic required to prove your ownership of a domain. Plus, it is able to do certificate provisioning dynamically based on your Ingress definitions.
Basic configuration
Once you installed Cert-Manager, you have to define a custom resource to configure:
- your email, so Let's Encrypt can give you heads-ups about expiring certifications
- the domain verification strategy
- the ingress class
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: laszlo@gimlet.io
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
From here on, for every Ingress
resource you create, Cert-Manager will try to provision an SSL certificate.
Day-two operations
When certificates are not provisioned
It is good practice to check the logs of the Cert-Manager pods. You will see some activity when you create or recreate an ingress.
If the logs keep displaying the same messages, or if there is no activity at all, you can browse the custom resources (CRDs) Cert-Manager places on your cluster.
To list the Cert-Manager related CRDs:
$kubectl get crds | grep cert
certificaterequests.cert-manager.io 2020-09-15T07:44:28Z
certificates.cert-manager.io 2020-09-15T07:44:28Z
challenges.acme.cert-manager.io 2020-09-15T07:44:28Z
clusterissuers.cert-manager.io 2020-09-15T07:44:28Z
issuers.cert-manager.io 2020-09-15T07:44:28Z
orders.acme.cert-manager.io 2020-09-15T07:44:28Z
To see your certificates and ongoing provisions:
kubectl get certificates.cert-manager.io -A
kubectl get certificaterequests.cert-manager.io -A
kubectl get orders.acme.cert-manager.io -A
If you located the resources that are related to your ingress, try running kubectl describe
on them to reveal error messages. Eventually, delete the custom resources to trigger a retry in the provisioning process.
Updating Cert-Manager
Cert-Manager updates are usually seamless, but keep an eye out for the release notes, as the project does a very good job at highlighting possible breaking changes in each update.
If you use Gimlet Stack's curated update stream, you will get notified, if an update needs special attention.