Skip to main content

Install cert-manager for Kubernetes

Learn how to install cert-manager using the glasskube package manager.

Prerequisites

  • Kubernetes cluster (You can easily create a local cluster by using Minikube)
  • kubectl is strictly speaking no dependency for installing packages via glasskube, but it is the recommended way to interact with the cluster. Therefore, it is highly recommended. Installation instructions are available for macOS, Linux and Windows.

About cert-manager



info

Cert-Manager is a widely used tool for managing certificates, specifically made for Kubernetes. It simplifies the process of getting, renewing, and using SSL/TLS certificates. Cert-Manager can interact with different certificate authorities (Issuer) such as Let's Encrypt, and it can automatically issue valid certificates. Additionally, it can handle the automatic renewal of certificates before they expire.

These certificates can then be used by various applications like ingress controllers or deployments.

Installation

Installing cert-manager can easily be achieved with the Glasskube package manager.

Install Glasskube

If you already installed glasskube you can skip this step. If not, glasskube can easily be installed the way you usually install packages for your operating system.

On macOS, you can use Homebrew to install and update Glasskube.

brew install glasskube/tap/glasskube

After installing Glasskube on your local machine, make sure to install the necessary components in your Kubernetes cluster by running glasskube bootstrap. For more information, check out our bootstrap guide.

Install cert-manager

Start the UI via the command line:

glasskube serve

Install cert-manager via the Glasskube UI.

Configuring cert-manager

Before cert-manager can issue certificates an Issuer or (ClusterIssuer) needs to be created so cert-manager knows which certificate authority (CA) should sign the public key of the certificate.

In this example we showcase the use of the production acme server. Fore testing purposes letsencrypt recommend the staging environment which has higher rate limits, than the production server.

cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: you@yourcorp.com # you will receive expiration warnings via this email
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx # requires ingress-nginx controller

The ClusterIssuer must be created as a Kubernetes custom resource. This can easily be achieved via kubectl apply:

kubectl apply -f cluster-issuer.yaml

cert-manager creates an Ingress to validate the ACME challenge, if no Ingress controller is already installed in the cluster the ingress-nginx controller can easily be installed with Glasskube.

Further links about cert-manager: