Skip to content

3.3. Cert manager

Jump to bottom
Rafał Lorenz edited this page Jun 12, 2020 · 12 revisions

cert manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing keypair, or self signed.

It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.

Install resources

cert-manager runs within your Kubernetes cluster as a series of deployment resources. It utilises CustomResourceDefinitions to configure Certificate Authorities and request certificates.

Upgrading with Helm

If you installed cert-manager using Helm, you can easily upgrade using the Helm CLI.

Note: Before upgrading, please read the relevant instructions at the links below for your from and to version.

Once you have read the relevant upgrading notes and taken any appropriate actions, you can begin the upgrade process like so - replacing <release_name> with the name of your Helm release for cert-manager (usually this is cert-manager) and replacing <version> with the version number you want to install:

Install CRDs

If you have installed the CRDs manually instead of with the --set installCRDs=true option added to your Helm install command, you should upgrade your CRD resources before upgrading the Helm chart:

# Kubernetes 1.15+
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml

# Kubernetes <1.15
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager-legacy.crds.yaml

Install cert manager

By default cert-manager will be installed with other resources in go-api-boilerplate namespace.

Add external charts repository

For it to work you have to add Jetstack helm repository

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update

Turn off

If you do have cert-manager already installed, it can be disabled by setting enabled value to false.

cert-manager:
+  enabled: false
  ingressShim:
    defaultIssuerName: letsencrypt
    defaultIssuerKind: Issuer

Let's Encrypt Issuer

Default issuer was set to self-signed due to Let's Encrypt request https://github.com/vardius/go-api-boilerplate/issues/18. To enable Let's Encrypt Issuer please revert changes made here. Please also remember to set correct domain and email.

Clone this wiki locally