Incubator4

Incubator4

Cert-Manager Automatic Certificate Management

Introduction#

In the previous article, it was mentioned that Traefik can achieve automated HTTPS encryption using Let's Encrypt. However, when Traefik enables Let's Encrypt, it not only requires a PVC for storing the created certificates, but also does not support scaling with multiple replicas due to its dependency on PVC. Therefore, we need a more robust HTTPS solution, which is where Cert-Manager comes in.

Principle Introduction#

Cert-Manager supports various methods for HTTPS, including self-signed/CA root certificate/Vault/Venafi/external import/ACME. Since we need automated HTTPS, the principle is the same as the previous issue, which is to use ACME for automated configuration of Let's Encrypt.

CertManager Terminology#

Issuer#

The Issuer is responsible for issuing certificates, and it is a resource with namespace isolation. Therefore, when used in the entire cluster, a ClusterIssuer is required.

Certificate#

A Certificate represents the concept of a certificate and needs to reference an Issuer to issue the certificate. The Certificate references a Secret in the same namespace (which will be automatically created if it does not exist) to store the X509 certificate. So there is no need to worry about certificate storage, as it uses the native Kubernetes method to store sensitive information such as certificate public and private keys.

CertificateRequest#

A CertificateRequest is used to record the process of requesting resources from the Issuer for a certificate. In general, there is no need to create it manually, as the result of the certificate application can be determined by observing the status of the CertificateRequest.

Install Traefik#

For Traefik installation, please refer to Traefik Automatic Https

Install Cert-Manager#

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.11.0 \
  --set installCRDs=true

Create ClusterIssuer#

Both Issuer and ClusterIssuer are used for certificate issuance, but they differ in terms of namespace and cluster dimensions. Here, for convenience, we will directly create a ClusterIssuer.

We will use the ACME method, which allows for automatic certificate issuance.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: acme
spec:
  acme:
    email: <your-emaill-address>
    preferredChain: ""
    privateKeySecretRef:
      name: acme-cert-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              key: api-token
              name: cf-nsl-xyz-api-token

Issue Certificates for Ingress/IngressRoutes/GatewayAPI#

For Ingress and GatewayAPI, Cert-Manager has already been integrated, so we only need to add annotations to the resources, as shown below:

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/cluster-issuer: nameOfClusterIssuer
  name: myIngress
  namespace: myIngress
spec:
  rules:
    - host: example.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: myservice
                port:
                  number: 80
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
    - hosts:
        - example.com
      secretName: myingress-cert # < cert-manager will store the created certificate in this secret.

Gateway

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: example
  annotations:
    cert-manager.io/issuer: foo
spec:
  gatewayClassName: foo
  listeners:
    - name: http
      hostname: example.com
      port: 443
      protocol: HTTPS
      allowedRoutes:
        namespaces:
          from: All
      tls:
        mode: Terminate
        certificateRefs:
          - name: example-com-tls

For IngressRoute, we need to manually create a Certificate, as shown below:

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: example
spec:
  entryPoints: # We listen to requests coming from ports 80 and 443
    - web
    - websecure
  routes:
    - match: Host(`example.domain.com`)
      kind: Rule
      services:
        - name: example # Requests will be forwarded to this service
          port: 80
  tls:
    secretName: example-cert

Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-cert
spec:
  dnsNames:
    - example.domain.com
  secretName: example-cert
  issuerRef:
    name: acme
    kind: ClusterIssuer
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.