How to install Certificate Manager Controller in K8s

cert-manager logo
Reading Time: 4 minutes

It’s time to stop worrying about the blockers related to K8s Certificate and to come up with an approach that takes care of the process of issuing public key certificates from multiple sources, making sure that they are valid, up-to-date, and also to renew them before their expiration.

Why do we need certificates? And what is Kubernetes Certificate Manager? When we create a domain name and try to access it from either an internal or external network, the device used to perform the call would require to check its validity. For that, the domain name should have a certificate that is issued and trusted to operate securely. And this certificate comes with an expiration date. Here is where the cert-manager helps and ensures that the certificates are valid, up to date and it renews certificates at a configured time before expiry. It does this from a variety of sources such as Let’s Encrypt, a simple signing key pair, or self-signed. So it looks after the state of certificates on a specific cluster, issues new ones, or requests to renew existing ones.

Cert-manager

SETUP:

Create a cert-manager namespace : kubectl create namespace cert-manager
Add the Helm repository hosting the cert-manager charts metadata : helm repo add jetstack https://charts.jetstack.io
Update local Helm Chart repository cache : helm repo update
Search for the latest jetstack/cert-manager officiall Helm chart version : helm search repo cert-manager ## jetstack/cert-manager v1.8.0
Install the latest cert-manager Helm chart : helm upgrade --install cert-manager --namespace cert-manager --version v1.8.0 jetstack/cert-manager --set installCRDs=true
Verify installation

To issue certificate across all namespaces we have added the ClusterIssuer as non-namespaced. Here ‘false’ represents the same.

Self Signed

What do we mean when we say self-signed certificate and When is it feasible to use self-signed certificates? Self-signed issuer does not represent a certificate authority. But instead denotes certificates that will be signed through “self-signing” using a given private key. Since they operate through Private Key and since there is no CA signer apart from itself, clients are forced to trust the certificates as it is. Services exposed outside the kubernetes cluster and deployed to our local Kubernetes cluster uses it.

Create a certificate ClusterIssuer

Here as you can see we have created a ClusterIssuer YAML file. We could have also used an Issuer kind, but the Issuer issues certificates for the namespace it is created on, while a ClusterIssuer can create certificates for any namespace.

As you can see the status of our clusterIssuer is Ready now.

Now let us create the certificate.

Verify the status of the certificate and of secret. And as you can see we have our secret attached to the certificate.

Secret

Let’s export the K8s secret file to the machine as sometimes there is a need to use the secret values from outside the cluster. As in the case of a self-signed certificates, we might have to import the cert_file as a trusted certificate on the machine/laptop.

Create a local destination folder : mkdir -p $HOME/temp/traefik/cert-secrets
Export Domain name and Namespace : export MY_DOMAIN=<DOMAIN_NAME> , export MY_NAMESPACE=<NAMESPACE>

Export the certificate secrets :
cert_file
kubectl get secret ${MY_DOMAIN}-com-cert-secret --namespace ${MY_NAMESPACE} -o jsonpath='{.data.tls.crt}' | base64 -d $HOME/temp/${MY_NAMESPACE}/cert-secrets/cert_file.crt
key_file
kubectl get secret ${MY_DOMAIN}-com-cert-secret --namespace ${MY_NAMESPACE} -o jsonpath='{.data.tls.key}' | base64 -d $HOME/temp/${MY_NAMESPACE}/cert-secrets/key_file.key
ca_file
kubectl get secret ${MY_DOMAIN}-com-cert-secret --namespace ${MY_NAMESPACE} -o jsonpath='{.data.ca.crt}' | base64 -d $HOME/temp/${MY_NAMESPACE}/cert-secrets/ca_file.crt

Trust

Since we have used a Self-Signed certificate, there might occur a trust issue, the web browser might warn us of an invalid certificate authority or invalid certificate. To overcome such an issue we have to tell our client/laptop to trust it.

Click on the three dots on the top left of your browser. Then on Settings. Click Security&privacy, in Security navigate to Manage Certificate, then Authorities. Click Import and choose the file that we created. And in this way, it will be trusted.

SUMMARY

In this blog, we have gone through how to create certificates, what is cert-manager and how it manages certificate states for us.

Reference:

Link on how to install Traefik Ingress Contoller: https://blog.knoldus.com/how-to-install-traefik-ingress-controller-in-kubernetes

Link on how to install cert-manager and configure lets-encrypt: https://www.howtogeek.com/devops/how-to-install-kubernetes-cert-manager-and-configure-lets-encrypt/

Written by 

I am a person who is positive about every aspect of life. I am determined, hardworking and I enjoy facing challenges.