diff --git a/.spelling b/.spelling index 8d65e7cecc3..79105dc17c6 100644 --- a/.spelling +++ b/.spelling @@ -44,6 +44,7 @@ CloudFlare ClusterRole ClusterIssuer ClusterIssuers +cmctl CNAME CNAMEs CNI @@ -164,6 +165,7 @@ PKCS#12 PKCS#8 Prometheus propagations +powershell publicised RBAC rebase @@ -183,6 +185,8 @@ Runtime Smallstep SOA stdout +subcommand +subcommands subdomain (sub)domains subdomains @@ -302,6 +306,7 @@ issuances HTTPRoute gatewayhttproute-labels gatewayhttproute-service-type +zsh # As per https://tools.ietf.org/html/rfc5280, the spelling "X.509" is the # correct spelling. The spelling "x509" and "X509" are incorrect. diff --git a/_redirects b/_redirects index 110a4411d3f..557a9971b8f 100644 --- a/_redirects +++ b/_redirects @@ -20,3 +20,18 @@ https://cert-manager.io/docs/installation/kubernetes/ https://cert-manager.io/do https://cert-manager.io/docs/installation/openshift/ https://cert-manager.io/docs/installation/supported-releases/ https://cert-manager.io/docs/installation/uninstall/kubernetes/ https://cert-manager.io/docs/installation/uninstall/ https://cert-manager.io/docs/installation/uninstall/openshift/ https://cert-manager.io/docs/installation/uninstall/ + +# In v1.6 we released 'cmctl' which is considered a better CLI experience than +# 'kubectl cert-manager'. The 'cmctl' page became the source of truth for all +# subcommands so the old references to 'kubectl cert-manager' are redirected +# there. +https://cert-manager.io/docs/usage/kubectl-plugin/#commands https://cert-manager.io/docs/usage/cmctl/#commands +https://cert-manager.io/docs/usage/kubectl-plugin/#approve-deny https://cert-manager.io/docs/usage/cmctl/#approve-and-deny-certificaterequests +https://cert-manager.io/docs/usage/kubectl-plugin/#convert https://cert-manager.io/docs/usage/cmctl/#convert +https://cert-manager.io/docs/usage/kubectl-plugin/#create https://cert-manager.io/docs/usage/cmctl/#create +https://cert-manager.io/docs/usage/kubectl-plugin/#certificaterequest https://cert-manager.io/docs/usage/cmctl/#certificaterequest +https://cert-manager.io/docs/usage/kubectl-plugin/#renew https://cert-manager.io/docs/usage/cmctl/#renew +https://cert-manager.io/docs/usage/kubectl-plugin/#status-certificate https://cert-manager.io/docs/usage/cmctl/#status-certificate +https://cert-manager.io/docs/usage/kubectl-plugin/#completion https://cert-manager.io/docs/usage/cmctl/#completion +https://cert-manager.io/docs/usage/kubectl-plugin/#experimental https://cert-manager.io/docs/usage/cmctl/#experimental +https://cert-manager.io/docs/usage/kubectl-plugin/#certificatesigningrequest https://cert-manager.io/docs/usage/cmctl/#certificatesigningrequest diff --git a/content/en/docs/configuration/acme/dns01/akamai.md b/content/en/docs/configuration/acme/dns01/akamai.md index d08a931817f..c0a9e167fe7 100644 --- a/content/en/docs/configuration/acme/dns01/akamai.md +++ b/content/en/docs/configuration/acme/dns01/akamai.md @@ -84,5 +84,5 @@ kubectl describe certificate example-zone Follow the `cert-manager` events to identify any issues with a command such as the following. ```bash -kubectl cert-manager status certificate example-zone +cmctl status certificate example-zone ``` diff --git a/content/en/docs/faq/_index.md b/content/en/docs/faq/_index.md index bb160020a2a..fa833a5a7e4 100644 --- a/content/en/docs/faq/_index.md +++ b/content/en/docs/faq/_index.md @@ -18,7 +18,7 @@ face: ### Can I trigger a renewal from cert-manager at will? -This is a feature in cert-manager starting in `v0.16` using the kubectl plugin. More information can be found on [the renew command's page](../usage/kubectl-plugin/#renew) +This is a feature in cert-manager starting in `v0.16` using the `cmctl` CLI. More information can be found on [the renew command's page](../usage/cmctl/#renew) ### Why isn't my root certificate in my issued Secret's `tls.crt`? diff --git a/content/en/docs/installation/_index.md b/content/en/docs/installation/_index.md index 9cea89c9754..51b91fa7093 100644 --- a/content/en/docs/installation/_index.md +++ b/content/en/docs/installation/_index.md @@ -23,9 +23,9 @@ More information on this install method [can be found here](./kubectl/). > You quickly want to learn how to use cert-manager and what it can be used for. -We recommend [kubectl cert-manager x install](./kubectl-plugin/) to quickly install cert-manager and [interact with cert-manager resources](../usage/kubectl-plugin/) from the command line. +We recommend [cmctl x install](./cmctl/) to quickly install cert-manager and [interact with cert-manager resources](../usage/cmctl/) from the command line. -Or if you prefer Helm or if you don't want to install the `kubectl cert-manager` plugin, you can [use helm to install cert-manager](./helm/). +Or if you prefer Helm or if you don't want to install `cmctl`, you can [use helm to install cert-manager](./helm/). In case you are running on an OpenShift cluster, consider installing via [cert-manager on OperatorHub.io](./operator-lifecycle-manager/). @@ -33,8 +33,8 @@ In case you are running on an OpenShift cluster, consider installing via [cert-m > You know how to configure your cert-manager setup and want to automate this. -You can use either `helm template` or `kubectl cert-manager x install --dry-run` to generate customized cert-manager installation manifests. -See [Output YAML using kubectl cert-manager x install](./kubectl-plugin/#output-yaml) and [Output YAML using helm template](./helm/#output-yaml) for more details. +You can use either `helm template` or `cmctl x install --dry-run` to generate customized cert-manager installation manifests. +See [Output YAML using cmctl x install](./cmctl/#output-yaml) and [Output YAML using helm template](./helm/#output-yaml) for more details. This templated cert-manager manifest can be piped into your preferred deployment tool. In case you are using Helm for automation, cert-manager [supports installing using Helm](./helm/). diff --git a/content/en/docs/installation/cmctl.md b/content/en/docs/installation/cmctl.md new file mode 100644 index 00000000000..274574ad418 --- /dev/null +++ b/content/en/docs/installation/cmctl.md @@ -0,0 +1,42 @@ +--- +title: "cmctl" +linkTitle: "cmctl" +weight: 21 +type: "docs" +--- + +## Installing using cmctl + +### Prerequisites + +- [Install the cert-manager CLI cmctl](../../usage/cmctl/#installation). +- Install a [supported version of Kubernetes or OpenShift](../supported-releases/). +- Read [Compatibility with Kubernetes Platform Providers](../compatibility/) if you are using Kubernetes on a cloud platform. + +### Steps + +The CLI provides the simplest way of installing cert-manager: +```bash +$ cmctl x install +``` +The command makes sure that the required `CustomResourceDefinitions` are installed together with the cert-manager, cainjector and webhook components. +Under the hood, a procedure similar to the [Helm install procedure](../helm/#steps) is used. + +You can also use `cmctl x install` to customize the installation of cert-manager. + +The example below shows how to tune the cert-manager installation by overwriting the default Helm values: + +```bash +$ cmctl x install \ + --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter + --set webhook.timeoutSeconds=4s # Example: changing the wehbook timeout using a Helm parameter +``` +You can find [a full list of the install parameters on cert-manager's ArtifactHub page](https://artifacthub.io/packages/helm/cert-manager/cert-manager#configuration). These are the same parameters that are available when using the Helm chart. +Once you have deployed cert-manager, you can [verify](../verify/) the installation. + +### Output YAML + +The CLI also allows the user to output the templated manifest to `stdout`, instead of installing the manifest on the cluster. +```bash +$ cmctl x install --dry-run > cert-manager.custom.yaml +``` diff --git a/content/en/docs/installation/verify.md b/content/en/docs/installation/verify.md index 42a374cc4b2..6d4b4a7e45c 100644 --- a/content/en/docs/installation/verify.md +++ b/content/en/docs/installation/verify.md @@ -7,13 +7,13 @@ type: "docs" ## Check cert-manager API -First, make sure that the [cert-manager kubectl plugin is installed](../../usage/kubectl-plugin/#installation). +First, make sure that [cmctl is installed](../../usage/cmctl/#installation). -This kubectl plugin performs a dry-run certificate creation check against the Kubernetes cluster. +cmctl performs a dry-run certificate creation check against the Kubernetes cluster. If successful, the message `The cert-manager API is ready` is displayed. ```bash -$ kubectl cert-manager check api +$ cmctl check api The cert-manager API is ready ``` @@ -21,7 +21,7 @@ The command can also be used to wait for the check to be successful. Here is an output example of running the command at the same time that cert-manager is being installed: ```bash -$ kubectl cert-manager check api --wait=2m +$ cmctl check api --wait=2m Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server Not ready: the cert-manager webhook deployment is not ready yet diff --git a/content/en/docs/usage/certificate.md b/content/en/docs/usage/certificate.md index b8a3d850e6c..41325e9bd3b 100644 --- a/content/en/docs/usage/certificate.md +++ b/content/en/docs/usage/certificate.md @@ -216,21 +216,20 @@ certificate object is reissued under the following circumstances: `subject`, `isCA`, `usages`, `duration` or `issuerRef`; - when a reissuance is manually triggered with the following: ```sh - kubectl cert-manager renew cert-1 + cmctl renew cert-1 ``` - Note that the above command requires the [kubectl - cert-manager](../kubectl-plugin/#renew) plugin. + Note that the above command requires [cmctl](../cmctl/#renew). {{% pageinfo color="warning" %}} **❌** Deleting the Secret resource associated with a Certificate resource is **not a recommended solution** for manually rotating the private key. The recommended way to manually rotate the private key is to trigger the reissuance -of the Certificate resource with the following command (requires the [`kubectl -cert-manager`](../kubectl-plugin/#renew) plugin): +of the Certificate resource with the following command (requires +[`cmctl`](../cmctl/#renew)): ```sh -kubectl cert-manager renew cert-1 +cmctl renew cert-1 ``` {{% /pageinfo %}} diff --git a/content/en/docs/usage/cmctl.md b/content/en/docs/usage/cmctl.md new file mode 100644 index 00000000000..2bca236ca96 --- /dev/null +++ b/content/en/docs/usage/cmctl.md @@ -0,0 +1,252 @@ +--- +title: "cmctl" +linkTitle: "cmctl" +weight: 100 +type: "docs" +--- + +`cmctl` is a CLI tool that can help you to manage cert-manager resources inside +your cluster. + +While also available as a [kubectl plugin](../kubectl-plugin/), it is recommended +to use as a stand alone binary as this allows the use of command +[auto-completion](#completion). + +## Installation + +You need the `cmctl.tar.gz` file for the platform you're using, these can be +found on our +[GitHub releases page](https://github.com/jetstack/cert-manager/releases). +In order to use `cmctl` you need its binary to be accessible under +the name `cmctl` in your `$PATH`. +Run the following commands to set up the CLI. Replace OS and ARCH with your +systems equivalents: + +```console +OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -L -o cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +tar xzf cmctl.tar.gz +sudo mv cmctl /usr/local/bin +``` + +You can run `cmctl help` to test the CLI is set up properly: + +```console +$ cmctl help + +cmctl is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: cmctl [command] + +Available Commands: + approve Approve a CertificateRequest + check Check cert-manager components + completion Generate completion scripts for the cert-manager CLI + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + deny Deny a CertificateRequest + experimental Interact with experimental features + help Help about any command + inspect Get details on certificate related resources + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the cert-manager CLI version and the deployed cert-manager version + +Flags: + -h, --help help for cmctl + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + +Use "cmctl [command] --help" for more information about a command. +``` + +## Commands + +### Approve and Deny CertificateRequests + +CertificateRequests can be +[approved or denied](../../concepts/certificaterequest/#approval) using their +respective cmctl commands: + +> **Note**: The internal cert-manager approver may automatically approve all +> CertificateRequests unless disabled with the flag on the cert-manager-controller +> `--controllers=*,-certificaterequests-approver` + +```bash +$ cmctl approve -n istio-system mesh-ca --reason "pki-team" --message "this certificate is valid" +Approved CertificateRequest 'istio-system/mesh-ca' +``` + +```bash +$ cmctl deny -n my-app my-app --reason "example.com" --message "violates policy" +Denied CertificateRequest 'my-app/my-app' +``` + +### Convert + +`cmctl convert` can be used to convert cert-manager manifest files between +different API versions. Both YAML and JSON formats are accepted. The command +either takes a file name, directory path, or a URL as input. The contents is +converted into the format of the latest API version known to cert-manager, or +the one specified by `--output-version` flag. + +The default output will be printed to stdout in YAML format. One can use the +option `-o` to change the output destination. + +For example, this will output `cert.yaml` in the latest API version: + +```console +cmctl convert -f cert.yaml +``` + +### Create + +`cmctl create` can be used to create cert-manager resources manually. +Sub-commands are available to create different resources: + +#### CertificateRequest + +To create a cert-manager CertificateRequest, use `cmctl create +certificaterequest`. The command takes in the name of the CertificateRequest to +be created, and creates a new CertificateRequest resource based on the YAML +manifest of a Certificate resource as specified by `--from-certificate-file` +flag, by generating a private key locally and creating a 'certificate signing +request' to be submitted to a cert-manager Issuer. The private key will be +written to a local file, where the default is `.key`, or it can be +specified using the `--output-key-file` flag. + +If you wish to wait for the CertificateRequest to be signed and store the X.509 +certificate in a file, you can set the `--fetch-certificate` flag. The default +timeout when waiting for the issuance of the certificate is 5 minutes, but can +be specified with the `--timeout` flag. The default name of the file storing the +X.509 certificate is `.crt`, you can use the ` +--output-certificate-file` flag to specify otherwise. + +Note that the private key and the X.509 certificate are both written to file, +and are **not** stored inside Kubernetes. + +For example this will create a CertificateRequest resource with the name "my-cr" +based on the cert-manager Certificate described in `my-certificate.yaml` while +storing the private key and X.509 certificate in `my-cr.key` and `my-cr.crt` +respectively. + +```console +cmctl create certificaterequest my-cr --from-certificate-file my-certificate.yaml --fetch-certificate --timeout 20m +``` + +### Renew + +`cmctl` allows you to manually trigger a renewal of a specific certificate. +This can be done either one certificate at a time, using label selectors (`-l app=example`), or with the `--all` flag: + +For example, you can renew the certificate `example-com-tls`: +```console +$ kubectl get certificate +NAME READY SECRET AGE +example-com-tls True example-com-tls 1d + +$ cmctl renew example-com-tls +Manually triggered issuance of Certificate default/example-com-tls + +$ kubectl get certificaterequest +NAME READY AGE +example-com-tls-tls-8rbv2 False 10s +``` + +You can also renew all certificates in a given namespace: + +```console +$ cmctl renew --namespace=app --all +``` + +The renew command allows several options to be specified: +* `--all` renew all Certificates in the given Namespace, or all namespaces when combined with `--all-namespaces` +* `-A` or `--all-namespaces` mark Certificates across namespaces for renewal +* `-l` `--selector` allows set a label query to filter on +as well as `kubectl` like global flags like `--context` and `--namespace`. + +### Status Certificate + +`cmctl status certificate` outputs the details of the current status of a +Certificate resource and related resources like CertificateRequest, Secret, +Issuer, as well as Order and Challenges if it is a ACME Certificate. The +command outputs information about the resources, including Conditions, Events +and resource specific fields like Key Usages and Extended Key Usages of the +Secret or Authorizations of the Order. This will be helpful for troubleshooting +a Certificate. + +The command takes in one argument specifying the name of the Certificate +resource and the namespace can be specified as usual with the `-n` or +`--namespace` flag. + +This example queries the status of the Certificate named `my-certificate` in +namespace `my-namespace`. + +```console +cmctl status certificate my-certificate -n my-namespace +``` + +### Completion + +`cmctl` supports auto-completion for both subcommands as well as suggestions for +runtime objects. + +```console +$ cmctl approve -n +default kube-node-lease kube-public kube-system local-path-storage +``` + +Completion can be installed for your environment by following the instructions +for the shell you are using. It currently supports bash, fish, zsh, and +powershell. + +```console +$ cmctl completion help +``` + +--- + +### Experimental +`cmctl x` has experimental sub-commands for operations which are currently under +evaluation to be included into cert-manager proper. The behavior and interface +of these commands are subject to change or removal in future releases. + + +#### Create +`cmctl x create` can be used to create cert-manager resources manually. +Sub-commands are available to create different resources: + +##### CertificateSigningRequest +To create a [CertificateSigningRequest](../kube-csr/), use +```console +cmctl x create csr` +``` +This command takes the name of the CertificateSigningRequest to be created, as +well as a file containing a Certificate manifest (`-f, +--from-certificate-file`). This command will generate a private key, based on +the options of the Certificate, and write it to the local file `.key`, or +specified by `-k, --output-key-file`. + +```bash +$ cmctl x create csr -f my-cert.yaml my-req +``` + + +{{% pageinfo color="warning" %}} + +cert-manager **will not** automatically approve CertificateSigningRequests. If +you are not running a custom approver in your cluster, you will likely need to +manually approve the CertificateSigningRequest: + +```bash +$ kubectl certificate approve +``` + +{{% /pageinfo %}} + +This command can also wait for the CertificateSigningRequest to be signed using +the flag `-w, --fetch-certificate`. Once signed it will write the resulting +signed certificate to the local file `.crt`, or specified by `-c, +--output-certificate-file`. + +```bash +$ cmctl x create csr -f my-cert.yaml my-req -w +``` diff --git a/content/en/docs/usage/kube-csr.md b/content/en/docs/usage/kube-csr.md index 0f4f75f6eb0..76d4588c430 100644 --- a/content/en/docs/usage/kube-csr.md +++ b/content/en/docs/usage/kube-csr.md @@ -156,8 +156,8 @@ Signer annotations: ## Usage -CertificateSigningRequests can be manually created using the -[kubectl cert-manager plugin](../kubectl-plugin/#experimental). +CertificateSigningRequests can be manually created using +[cmctl](../cmctl/#experimental). This command takes a manifest file containing a [Certificate](../../usage/certificate/) resource as input. This generates a private key and creates a CertificateSigningRequest. CertificateSigningRequests diff --git a/content/en/docs/usage/kubectl-plugin.md b/content/en/docs/usage/kubectl-plugin.md index df5c0baad89..e2347aff00c 100644 --- a/content/en/docs/usage/kubectl-plugin.md +++ b/content/en/docs/usage/kubectl-plugin.md @@ -5,7 +5,12 @@ weight: 100 type: "docs" --- -`kubectl cert-manager` is a [kubectl plugin](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) that can help you to manage cert-manager resources inside your cluster. +`kubectl cert-manager` is a [kubectl +plugin](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) that +can help you to manage cert-manager resources inside your cluster. + +While the kubectl plugin is supported, it is recommended to use +[cmctl](../cmctl/) as this enables a better experience via tab auto-completion. ## Installation You need the `kubectl-cert-manager.tar.gz` file for the platform you're using, these can be found on our [GitHub releases page](https://github.com/jetstack/cert-manager/releases). @@ -23,11 +28,11 @@ $ kubectl cert-manager help kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes -Usage: - kubectl cert-manager [command] +Usage: kubectl cert-manager [command] Available Commands: approve Approve a CertificateRequest + check Check cert-manager components convert Convert cert-manager config files between different API versions create Create cert-manager resources deny Deny a CertificateRequest @@ -36,173 +41,18 @@ Available Commands: inspect Get details on certificate related resources renew Mark a Certificate for manual renewal status Get details on current status of cert-manager resources - version Print the kubectl cert-manager version + version Print the cert-manager CLI version and the deployed cert-manager version Flags: - --as string Username to impersonate for the operation - --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. - --cache-dir string Default cache directory (default "~/.kube/cache") - --certificate-authority string Path to a cert file for the certificate authority - --client-certificate string Path to a client certificate file for TLS - --client-key string Path to a client key file for TLS - --cluster string The name of the kubeconfig cluster to use - --context string The name of the kubeconfig context to use - -h, --help help for cert-manager - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --kubeconfig string Path to the kubeconfig file to use for CLI requests. + -h, --help help for kubectl cert-manager --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) - --match-server-version Require server version to match client version - -n, --namespace string If present, the namespace scope for this CLI request - --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") - -s, --server string The address and port of the Kubernetes API server - --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used - --token string Bearer token for authentication to the API server - --user string The name of the kubeconfig user to use Use "kubectl cert-manager [command] --help" for more information about a command. ``` ## Commands -### Renew -> **Note**: for cert-manager `v0.15` this feature requires the `ExperimentalCertificateControllers` feature gate set. -> From cert-manager `v0.16` onward, the experimental certificate controller is the default. - -`kubectl cert-manager renew` allows you to manually trigger a renewal of a specific certificate. -This can be done either one certificate at a time, using label selectors (`-l app=example`), or with the `--all` flag: - -For example you can renew the certificate `example-com-tls`: -```console -$ kubectl get certificate -NAME READY SECRET AGE -example-com-tls True example-com-tls 1d - -$ kubectl cert-manager renew example-com-tls -Manually triggered issuance of Certificate default/example-com-tls - -$ kubectl get certificaterequest -NAME READY AGE -example-com-tls-tls-8rbv2 False 10s -``` - -You can also renew all certificates in a given namespace: -```console -$ kubectl cert-manager renew --namespace=app --all -``` - -The renew command allows several options to be specified: -* `--all` renew all Certificates in the given Namespace, or all namespaces when combined with `--all-namespaces` -* `-A` or `--all-namespaces` mark Certificates across namespaces for renewal -* `-l` `--selector` allows set a label query to filter on -as well as `kubectl` global flags like `--context` and `--namespace`. - -### Convert -`kubectl cert-manager convert` can be used to convert cert-manager manifest files between different API versions. Both YAML and JSON formats are accepted. -The command takes file name, directory, or URL as input, and converts into the -format of the latest version or the one specified by --output-version flag. - -The default output will be printed to stdout in YAML format. One can use -o option to change the output destination. - -For example this will output `cert.yaml` in the latest API version: -```console -kubectl cert-manager convert -f cert.yaml -``` - -### Create -`kubectl cert-manager create` can be used to create cert-manager resources manually. Sub-commands are available -to create different resources: - -#### CertificateRequest -To create a cert-manager CertificateRequest, use `kubectl cert-manager create certificaterequest`. The command takes in the name of the CertificateRequest to be created, -and creates a new CertificateRequest resource based on the YAML manifest of a Certificate resource as specified by `--from-certificate-file` flag, by generating a private key locally and creating a 'certificate signing request' -to be submitted to a cert-manager Issuer. The private key will be written to a local file, where the default is `.key`, or it can be specified using the `--output-key-file` flag. - -If you wish to wait for the CertificateRequest to be signed and store the X.509 certificate in a file, you can set -the `--fetch-certificate` flag. The default timeout when waiting for the issuance of the certificate is 5 minutes, -but can be specified with the `--timeout` flag. The default name of the file storing the X.509 certificate -is `.crt`, you can use the ` --output-certificate-file` flag to specify otherwise. - -Note that the private key and the X.509 certificate are both written to file, and are **not** stored inside Kubernetes. - -For example this will create a CertificateRequest resource with the name "my-cr" based on the cert-manager Certificate described in `my-certificate.yaml` while storing the -private key and X.509 certificate in `my-cr.key` and `my-cr.crt` respectively. -```console -kubectl cert-manager create certificaterequest my-cr --from-certificate-file my-certificate.yaml --fetch-certificate --timeout 20m -``` - -### Status Certificate -`kubectl cert-manager status certificate` outputs the details of the current status of a Certificate resource and related resources like CertificateRequest, Secret, Issuer, as well as Order and Challenges if it is a ACME Certificate. -The command outputs information about the resources, including Conditions, Events and resource specific fields like Key Usages and Extended Key Usages of the Secret or Authorizations of the Order. This will be helpful for troubleshooting a Certificate. - -The command takes in one argument specifying the name of the Certificate resource and the namespace -can be specified as usual with the `-n` or `--namespace` flag. - -This example queries the status of the Certificate named `my-certificate` in namespace `my-namespace`. -```console -kubectl cert-manager status certificate my-certificate -n my-namespace -``` - -### Approve/Deny -CertificateRequests can be [approved or -denied](../../concepts/certificaterequest/#approval) using their respective kubectl plugin commands: - -> **Note**: The internal cert-manager approver may automatically approve all -> CertificateRequests unless disabled with the flag on the cert-manager-controller -> `--controllers=*,-certificaterequests-approver` - -```bash -$ kubectl cert-manager approve -n istio-system mesh-ca --reason "pki-team" --message "this certificate is valid" -Approved CertificateRequest 'istio-system/mesh-ca' -``` - -```bash -$ kubectl cert-manager deny -n my-app my-app --reason "example.com" --message "violates policy" -Denied CertificateRequest 'my-app/my-app' -``` - ---- - -### Experimental -`kubectl cert-manager x` has experimental sub-commands for operations which are -currently under evaluation to be included into cert-manager proper. The behavior -and interface of these commands are subject to change or removal in future -releases. - - -#### Create -`kubectl cert-manager x create` can be used to create cert-manager resources manually. Sub-commands are available -to create different resources: - -##### CertificateSigningRequest -To create a [CertificateSigningRequest](../kube-csr/), use `kubectl cert-manager -x create csr`. This command takes the name of the CertificateSigningRequest to -be created, as well as a file containing a Certificate manifest (`-f, ---from-certificate-file`). This command will generate a private key, based on -the options of the Certificate, and write it to the local file `.key`, or -specified by `-k, --output-key-file`. - -```bash -$ kubectl cert-manager x create csr -f my-cert.yaml my-req -``` - - -{{% pageinfo color="warning" %}} - -cert-manager **will not** automatically approve -CertificateSigningRequests. If you are not running a custom approver in your -cluster, you will likely need to manually approve the CertificateSigningRequest: - -```bash -$ kubectl certificate approve -``` - -{{% /pageinfo %}} - -This command can also wait for the CertificateSigningRequest to be signed using -the flag `-w, --fetch-certificate`. Once signed it will write the resulting -signed certificate to the local file `.crt`, or specified by `-c, ---output-certificate-file`. - -```bash -$ kubectl cert-manager x create csr -f my-cert.yaml my-req -w -``` +Please refer to [cmctl](../cmctl/) for command documentation. The plugin +provides the same functionality bar the `completion` subcommand. Commands are +invoked with `kubectl cert-manager` rather than `cmctl`, but function the same +otherwise.