Cert Manager... well manages your certificates! All sorts of certificates! But mainly used to store and manage the certificates for your TLS endpoint.
- Cert Manager docs
- TechnoTim's Guide
- !!WARNING!! USE STAGING BEFORE PRODUCTION FOR CERTS OR YOU RISK BEING BLOCKED FOR 7 days!
- values.yaml file used for installing with Helm w/ default entries.
- application.yaml file used with ArgoCD to automate management of the service.
- Make modifications to application.yaml file so it points to where you are storing your values.file.
- Install the application and wait for the service to appear.
kubectl apply -f application.yaml- Modify the values.yaml file to suit your environment. You can store this values file locally or remotely in a private repository.
- Add service chart to Helm.
helm repo add jetstack https://charts.jetstack.io- Install the service using Helm. Either leave out the
--versionparameter OR change the value to match the CHART version you require.
helm upgrade --install cert-manager jetstack/cert-manager -n cert-manager --create-namespace -f values.yaml --version v1.15.3 --atomicUpdate the application file for the service to use the version you want OR modify the Application in the WebUI by editing the details of the Application and change the chart version to the version you want to upgrade to.
Replay the installation steps above.
Uninstalling the application file directly does not function currently. You have to navigate to the Application in the ArgoCD and delete the application from there. Select 'Foreground'(preferred) or 'Background' to remove the resources OR 'Non-cascading' if you wish to uninstall the application but leave the services there.
- Uninstall the chart using Helm.
helm uninstall cert-manager -n cert-managerGetting a certificate is easy.
- You want to get your cloudflar API token and replace it in the token-secret.yaml file. Then apply the file.
kubectl apply -f token-secret.yaml- Fill out the email and domain in staging-issuer.yaml file. Then apply the file.
kubectl apply -f staging-issuer.yaml- Change what you need in the example staing cert file. Then apply the file... and wait!
kubectl apply -f example-com-staging-cert.yaml && watch -d kubectl get challenges -A- Once the challenge passes, you will have your certificate. Assuming you didn't change much from the files above the staging secret would have been
domain-name-staging-tlsand you want to place it atspec.tls.secretNamein your ingress route. However, if placed in traefik namespace, it seems Traefik automatically picks up the secret and applies the TLS certificate information thus not needing you to add the above to your ingress route manifest. - Finally, go to your endpoint. It will show that it is not protected but staging will do that. Just inspect the certificate in your browser and if you see that it has LetsEncrypt Staging in the details, you know it works. IFF you see staging in the details, then do the same process from step 2 but with production. You want delete the staging certificate you if you like.
kubectl delete certificate -n traefik example-com-staging.