{"id":2089,"date":"2022-02-09T06:57:04","date_gmt":"2022-02-09T06:57:04","guid":{"rendered":"https:\/\/blog.samarthya.me\/wps\/?p=2089"},"modified":"2022-02-15T15:53:06","modified_gmt":"2022-02-15T15:53:06","slug":"cert-manager-tls-for-ingress","status":"publish","type":"post","link":"https:\/\/blog.samarthya.me\/wps\/2022\/02\/09\/cert-manager-tls-for-ingress\/","title":{"rendered":"Cert-Manager: TLS for ingress"},"content":{"rendered":"\n

A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources.<\/p>\n\n\n\n

cert-manager<\/code> adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.<\/p><\/blockquote><\/figure>\n\n\n\n

Installation<\/h2>\n\n\n\n

The easiest way is to use helm charts.<\/p>\n\n\n\n

helm repo add jetstack https:\/\/charts.jetstack.io<\/code><\/pre>\n\n\n\n
root@master>helm repo list\nNAME                    URL                                                                                         \nstable                  https:\/\/charts.helm.sh\/stable                                                                                                        \njetstack                https:\/\/charts.jetstack.io  <\/code><\/pre>\n\n\n\n
helm install cert-manager jetstack\/cert-manager \\\n  --namespace cert-manager \\\n  --create-namespace \\\n  --version v1.7.1 \\\n  --set prometheus.enabled=false \\\n  --set webhook.timeoutSeconds=4 \\\n  --set installCRDs=true<\/code><\/pre>\n\n\n\n
Once deployed you can see the k8s objects deployed<\/p>\n\n\n\n
root@master>k get all -n cert-manager<\/code><\/pre>\n\n\n\n
NAME                                           READY   STATUS    RESTARTS   AGE\npod\/cert-manager-86f4f985d6-ntgtf              1\/1     Running   0          7d23h\npod\/cert-manager-cainjector-56bc5f744c-tdhx6   1\/1     Running   0          7d23h\npod\/cert-manager-webhook-997b5dd88-4jbmf       1\/1     Running   0          7d23h\n\nNAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE\nservice\/cert-manager           ClusterIP   10.100.35.73   <none>        9402\/TCP   67d\nservice\/cert-manager-webhook   ClusterIP   10.96.67.112   <none>        443\/TCP    67d\n\nNAME                                      READY   UP-TO-DATE   AVAILABLE   AGE\ndeployment.apps\/cert-manager              1\/1     1            1           67d\ndeployment.apps\/cert-manager-cainjector   1\/1     1            1           67d\ndeployment.apps\/cert-manager-webhook      1\/1     1            1           67d\n\nNAME                                                 DESIRED   CURRENT   READY   AGE\nreplicaset.apps\/cert-manager-57d89b9548              0         0         0       67d\nreplicaset.apps\/cert-manager-86f4f985d6              1         1         1       7d23h\nreplicaset.apps\/cert-manager-cainjector-56bc5f744c   1         1         1       7d23h\nreplicaset.apps\/cert-manager-cainjector-5bcf77b697   0         0         0       67d\nreplicaset.apps\/cert-manager-webhook-997b5dd88       1         1         1       7d23h\nreplicaset.apps\/cert-manager-webhook-9cb88bd6d       0         0         0       67d<\/code><\/pre>\n\n\n\n
Example<\/h2>\n\n\n\n
>kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges -A<\/code><\/pre>\n\n\n\n
Issuers<\/h3>\n\n\n\n
NAMESPACE           NAME                                          READY   AGE\ncert-manager-test   issuer.cert-manager.io\/test-selfsigned        True    7d21h\njenkins             issuer.cert-manager.io\/jenkins-selfsigned     True    6d18h\nspinnaker           issuer.cert-manager.io\/spinnaker-selfsigned   True    7d21h<\/code><\/pre>\n\n\n\n
NAMESPACE           NAME                                            READY   SECRET                AGE\ncert-manager-test   certificate.cert-manager.io\/selfsigned-cert     True    selfsigned-cert-tls   7d21h\njenkins             certificate.cert-manager.io\/jenkinsdevops.com   True    jenkinsdevops.com     6d18h\nspinnaker           certificate.cert-manager.io\/devops.com          True    devops.com            7d19h\nspinnaker           certificate.cert-manager.io\/selfsigned-cert     True    devops.com            7d21h<\/code><\/pre>\n\n\n\n
NAMESPACE           NAME                                                         APPROVED   DENIED   READY   ISSUER                 REQUESTOR                                         AGE
cert-manager-test   certificaterequest.cert-manager.io\/selfsigned-cert-hnd85     True                True    test-selfsigned        system:serviceaccount:cert-manager:cert-manager   7d21h
jenkins             certificaterequest.cert-manager.io\/jenkinsdevops.com-75hdn   True                True    jenkins-selfsigned     system:serviceaccount:cert-manager:cert-manager   6d18h
spinnaker           certificaterequest.cert-manager.io\/devops.com-g6b2m          True                True    spinnaker-selfsigned   system:serviceaccount:cert-manager:cert-manager   5d22h
spinnaker           certificaterequest.cert-manager.io\/devops.com-rz6db          True                True    spinnaker-selfsigned   system:serviceaccount:cert-manager:cert-manager   5d23h
spinnaker           certificaterequest.cert-manager.io\/devops.com-wzs4h          True                True    spinnaker-selfsigned   system:serviceaccount:cert-manager:cert-manager   5d22h
spinnaker           certificaterequest.cert-manager.io\/selfsigned-cert-mfggn     True                True    spinnaker-selfsigned   system:serviceaccount:cert-manager:cert-manager   7d21h<\/code><\/pre>\n\n\n\n
After Installation, Configure<\/h2>\n\n\n\n
The first thing you\u2019ll need to configure after you\u2019ve installed cert-manager is an issuer which you can then use to issue certificates.<\/p>\n\n\n\n
Before you begin<\/h3>\n\n\n\n
Issuers<\/code> & ClusterIssuer<\/code><\/h4>\n\n\n\n
Issuers<\/code>, and ClusterIssuers<\/code>, are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests.<\/p>\n\n\n\n
Example – Issuer<\/h4>\n\n\n\n
apiVersion: cert-manager.io\/v1\nkind: Issuer\nmetadata:\n  name: jenkins-selfsigned\n  namespace: jenkins\nspec:\n  selfSigned: {}<\/code><\/pre>\n\n\n\n
Example – ClusterIssuer<\/h4>\n\n\n\n
apiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n  name: selfsigned-cluster-issuer\nspec:\n  selfSigned: {}<\/code><\/pre>\n\n\n\n
An Issuer<\/code> is a namespaced resource, and it is not possible to issue certificates from an Issuer<\/code> in a different namespace. <\/p><\/blockquote><\/figure>\n\n\n\n
If you want to create a single Issuer<\/code> that can be consumed in multiple namespaces, you should consider creating a ClusterIssuer<\/code> resource. <\/p>\n\n\n\n
Certificate<\/h4>\n\n\n\n
Certificate<\/code> is a namespaced resource that references an Issuer<\/code> or ClusterIssuer<\/code> that determine what will be honoring the certificate request.<\/p>\n\n\n\n
When a Certificate<\/code> is created, a corresponding CertificateRequest<\/code> resource is created by cert-manager containing the encoded X.509 certificate request, Issuer<\/code> reference, and other options based upon the specification of the Certificate<\/code> resource.<\/p>\n\n\n\n
Securing Ingress<\/h2>\n\n\n\n
As I conclude the blog, let me use the deployed cert-manager to secure the TLS deployment for my spinnaker instance.<\/p>\n\n\n\n
Supported Annotations in Ingress: https:\/\/cert-manager.io\/docs\/usage\/ingress\/#supported-annotations<\/a><\/p>\n\n\n\n
In our example we will use mostly<\/p>\n\n\n\n