Cert-Manager

Cert-Manager gives you free SSL certificates. Who doesn't like that?

It basically uses Let's Encrypt to encapsulate all the logic required to prove your ownership of a domain. Plus, it is able to do certificate provisioning dynamically based on your Ingress definitions.

Basic configuration

Once you installed Cert-Manager, you have to define a custom resource to configure:

• your email, so Let's Encrypt can give you heads-ups about expiring certifications
• the domain verification strategy
• the ingress class

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: laszlo@gimlet.io
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            class: nginx

From here on, for every Ingress resource you create, Cert-Manager will try to provision an SSL certificate.

• Installation instructions
• ACME issuer via HTTP

Day-two operations

When certificates are not provisioned

It is good practice to check the logs of the Cert-Manager pods. You will see some activity when you create or recreate an ingress.

If the logs keep displaying the same messages, or if there is no activity at all, you can browse the custom resources (CRDs) Cert-Manager places on your cluster.

To list the Cert-Manager related CRDs:

$kubectl get crds | grep cert

certificaterequests.cert-manager.io              2020-09-15T07:44:28Z
certificates.cert-manager.io                     2020-09-15T07:44:28Z
challenges.acme.cert-manager.io                  2020-09-15T07:44:28Z
clusterissuers.cert-manager.io                   2020-09-15T07:44:28Z
issuers.cert-manager.io                          2020-09-15T07:44:28Z
orders.acme.cert-manager.io                      2020-09-15T07:44:28Z

To see your certificates and ongoing provisions:

kubectl get certificates.cert-manager.io -A
kubectl get  certificaterequests.cert-manager.io -A
kubectl get orders.acme.cert-manager.io -A

If you located the resources that are related to your ingress, try running kubectl describe on them to reveal error messages. Eventually, delete the custom resources to trigger a retry in the provisioning process.

Updating Cert-Manager

Cert-Manager updates are usually seamless, but keep an eye out for the release notes, as the project does a very good job at highlighting possible breaking changes in each update.

If you use Gimlet Stack's curated update stream, you will get notified, if an update needs special attention.