05. November 2022

Cert Manager Setup

guides/cert-manager/title.png

A guide on How to setup SSL/TLS Certificates for you Kubernetes Cluster From your Cloudflare Account

Namespace

First we will create a Namespace for Cert Manager to organize our resources

CLI way

1kubectl create ns cert-manager

Yaml

1kind: Namespace
2apiVersion: v1
3metadata:
4  name: cert-manager
5  labels:
6    name: cert-manager

Apply Yaml file

kubectl apply -f test.yaml

CRDS

Now we are going to apply the Custom Resource Definitions Cert Manager Uses

1kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml

Helm

Add the Repository

helm repo add jetstack https://charts.jetstack.io

Update Helm Repos

helm repo update

Deploy

Install

1helm install cert-manager jetstack/cert-manager --namespace cert-manager --values=values.yaml --version v1.9.1

Upgrade

1helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --values=values.yaml --version v1.9.1

Uninstall

1helm uninstall cert-manager --namespace cert-manager

Values Yaml

 1installCRDs: false
 2replicaCount: 3
 3extraArgs:
 4  - --dns01-recursive-nameservers-only
 5  - --dns01-recursive-nameservers=1.1.1.1:53
 6  - --dns01-self-check-nameservers=1.1.1.1:53
 7podDnsPolicy: None
 8podDnsConfig:
 9 nameservers:
10   - "1.1.1.1"
11   - "1.0.0.1"

Create an Issuer for Lets Encrypt

The Issuer will handle validating certificates and issuing new ones

 1apiVersion: cert-manager.io/v1
 2kind: ClusterIssuer
 3metadata:
 4  name: letsencrypt-production
 5  namespace: default
 6spec:
 7  acme:
 8    server: https://acme-v02.api.letsencrypt.org/directory
 9    email: your_email@provider.com
10    privateKeySecretRef:
11      name: letsencrypt-production
12    solvers:
13      - dns01:
14          cloudflare:
15            email: your_email@provider.com
16            apiTokenSecretRef:
17              name: cloudflare-api-token-secret
18              key: api-token
19        selector:
20          dnsZones:
21            - ""

Set the email fields and dns zones

You can repeat this for a staging issuer as well

 1apiVersion: cert-manager.io/v1
 2kind: ClusterIssuer
 3metadata:
 4  name: letsencrypt-staging
 5  namespace: default
 6spec:
 7  acme:
 8    server: https://acme-staging-v02.api.letsencrypt.org/directory
 9    email: your_email@provider.com
10    privateKeySecretRef:
11      name: letsencrypt-staging
12    solvers:
13      - dns01:
14          cloudflare:
15            email: your_email@provider.com
16            apiTokenSecretRef:
17              name: cloudflare-api-token-secret
18              key: api-token
19        selector:
20          dnsZones:
21            - "your-domain.com"

Create API token Secret

Get token form cloudflare

1apiVersion: v1
2kind: Secret
3metadata:
4  name: cloudflare-api-token-secret
5  namespace: cert-manager
6type: Opaque
7stringData:
8  api-token: api-token-asdfasdfgasdf-asdfasd

Apply Issuers

Put all files in an issuers folder and apply all

1kubectl apply -f issuers/

Certs

Lets create a Wildcard Certificate

 1---
 2apiVersion: cert-manager.io/v1
 3kind: Certificate
 4metadata:
 5  name: your-domain
 6  namespace: default
 7spec:
 8  secretName: your-domain-tls
 9  issuerRef:
10    name: letsencrypt-production
11    kind: ClusterIssuer
12  commonName: "*.your.domain"
13  dnsNames:
14  - "your.domain"
15  - "*.your.domain"

name it a unique name and set the secret name

common name is the wildcard route

dns names is filled with parent domain and wildcard

Add all certs to certs folder and apply all

1kubectl apply -f certs/

Useful Debug Commands

kubectl get certifcates 

kubectl get issuers

kubectl get challenges

kubectl get all -n cert-manager

kubectl -n cert-manager logs <pod-name>