Skip to main content
Version: 0.4.0-beta

Cert Manager Tutorials

Installation

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml

Optionally, install cmctl:

mkdir bin
wget https://github.com/cert-manager/cmctl/releases/download/v2.3.0/cmctl_linux_amd64
mv cmctl_linux_amd64 bin/cmctl; 
chmod u+x bin/cmctl
./bin/cmctl check api

Cert Manager and Cluster Wizard

Cert Manager Managed Certificates for Cluster Wizard

  1. Create a Cert-Manager Issuer for generating self-signed certificate authorities by applying cluster-wizard-issuer.yaml:
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cluster-wizard-issuer
  namespace: cluster-wizard
spec:
  selfSigned: {}
kubectl apply -f cluster-wizard-issuer.yaml
  1. Create Client CA, client-ca.yaml:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: client-ca
  namespace: cluster-wizard
spec:
  isCA: true
  commonName: CORESPEQ INC
  secretName: client-ca
  privateKey:
    algorithm: RSA
    encoding: PKCS8
    size: 2048
  duration: 87600h
  issuerRef:
    name: cluster-wizard-issuer
    kind: Issuer
kubectl apply -f client-ca.yaml
  1. Create Server CA, server-ca.yaml:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: server-ca
  namespace: cluster-wizard
spec:
  isCA: true
  commonName: CORESPEQ INC
  secretName: server-ca
  privateKey:
    algorithm: ECDSA
    size: 521
  duration: 87600h
  issuerRef:
    name: cluster-wizard-issuer
    kind: Issuer
kubectl apply -f server-ca.yaml
  1. Create a Cert Manager Issuer that uses the Server CA for signing, issuer-with-server-ca.yaml:
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: issuer-with-server-ca
  namespace: cluster-wizard
spec:
  ca:
    secretName: server-ca
kubectl apply -f issuer-with-server-ca.yaml
  1. Create Certificate used by Cluster-Wizard, cluster-wizard-cert.yaml:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cluster-wizard-cert
  namespace: cluster-wizard
spec:
  dnsNames:
    - cluster-wizard
  secretName: cluster-wizard-cert
  issuerRef:
    name: issuer-with-server-ca
    kind: Issuer
  subject:
    organizations:
      - CORESPEQ INC
    organizationalUnits:
      - Cluster Wizard Team
note

The dnsNames specified in cluster-wizard-cert.yaml will need to be available via a DNS service to the Wizard-Client. If DNS is not an option consider using ipAddresses instead of dnsNames.

...
spec:
  ipAddresses:
    - 192.168.100.100
...
kubectl apply -f cluster-wizard-cert.yaml