Open in app

Sign in

Write

Sign in

Create a Certificate with `cert-manager` in Kubernetes

j3ffyang
2 min readDec 24, 2022

--

We’re going to create a cross-namespace certificate with clusterIssuer of cert-manager, which simply handles all the required operations for obtaining, renewing and using SSL/TLS certificates. Cert-Manager is able to talk with various certificate authorities (or CAs), like: Let’s Encrypt, HashiCorp Vault, and Venafi, and issue valid certificates for you automatically. It can also take care of automatic certificate renewal before expiration. In this short document, I cover `self-signed` certificate.

tl;dr

Pre-requisite

  • A running Kubernetes cluster
  • cert-manager has been installed

Create a pair of certificate and key

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout YOURDOMAIN.key -out YOURDOMAIN.crt

Create a `secret` for `tls`

kubectl -n cert-manager create secret tls YOURDOMAIN-tls \
  -key YOURDOMAIN.key -cert YOURDOMAIN.crt

Create a cross-namespace `clusterIssuer`

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: YOURDOMAIN-clusterissuer
spec:
  ca:
    secretName: YOURDOMAIN-tls

Verify your `clusterIssuer`

kubectl get clusterissuers.cert-manager.io YOURDOMAIN-clusterissuer -owide
NAME READY STATUS AGE
YOURDOMAIN-clusterissuer True Signing CA verified 12s

Certificate usage in `ingress`

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: YOURAPP-ingress
  namespace: YOURNAMESPACE
  annotations:
    cert-manager.io/cluster-issuer: YOUDOMAIN-clusterissuer
spec:
  ingressClassName: kong
  rules:
  - host: YOURAPP.YOUDOMAIN.lab
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: YOURAPP
            port:
              number: 80
  tls:
  - hosts:
    - YOURAPP.YOUDOMAIN.lab
    secretName: YOUDOMAIN-certificate

Use `jq` to check expiration

kubectl get certificate YOURDOMAIN-certificate -o jsonpath='{.status}' | jq .

You would see the following similar

{
  "conditions": [
    {
      "lastTransitionTime": "2022–12–24T07:09:43Z",
      "message": "Certificate is up to date and has not expired",
      "observedGeneration": 1,
      "reason": "Ready",
      "status": "True",
      "type": "Ready"
    }
  ],
  "notAfter": "2023–12–24T07:09:43Z",
  "notBefore": "2022–12–24T07:09:43Z",
  "renewalTime": "2023–09–23T07:09:43Z",
  "revision": 1
}

Examine `tls` `secrets` for all namespaces

kubectl get secrets -field-selector type=kubernetes.io/tls -all-namespaces

Extract `tls.crt` and `tls.key`

kubectl -n cert-manager get secret YOURDOMAIN-tls -o json | jq -r '.data."tls.crt"' | base64 -d
kubectl -n cert-manager get secret YOURDOMAIN-tls -o json | jq -r '.data."tls.key"' | base64 -d

Enjoy :-)

Cert Manager
Kubernetes
Clusterissuer
Certificate
Tls

--

--

j3ffyang

Written by j3ffyang

143 Followers

ardent linux user, opensource, kubernetes containerization, blockchain, data security. handler of @analyticsource and @j3ffyang

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams