Skip to content

3.3. Cert manager

Rafał Lorenz edited this page Jun 12, 2020 · 12 revisions

cert manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing keypair, or self signed.

It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.

Install resources

cert-manager runs within your Kubernetes cluster as a series of deployment resources. It utilises CustomResourceDefinitions to configure Certificate Authorities and request certificates.

Install CRDs

If you have installed the CRDs manually instead of with the --set installCRDs=true option added to your Helm install command, you should upgrade your CRD resources before upgrading the Helm chart:

# Kubernetes 1.15+
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml

# Kubernetes <1.15
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager-legacy.crds.yaml

Install cert manager

By default cert-manager will be installed with other resources in go-api-boilerplate namespace.

Add external charts repository

For it to work you have to add Jetstack helm repository

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update

Turn off

If you do have cert-manager already installed, it can be disabled by setting enabled value to false.

cert-manager:
+  enabled: false
  ingressShim:
    defaultIssuerName: letsencrypt
    defaultIssuerKind: Issuer

Let's Encrypt Issuer

Default issuer was set to self-signed due to Let's Encrypt request https://github.com/vardius/go-api-boilerplate/issues/18. To enable Let's Encrypt Issuer please revert changes made here. Please also remember to set correct domain and email.