Close
    logo                                         

    k8s-cert-manager

    x509 Certificate management for Kubernetes

    Template version:v24-04-20

    Helm charts used:jetstack/cert-manager v1.14.4

    This template contains the configuration files needed to run cert-manager in a Kubernetes cluster.

    cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.

    Warning: You should not install multiple instances of cert-manager on a single cluster. This will lead to undefined behavior and you may be banned from providers such as Let’s Encrypt.

    Template override parameters

    File _values-tpl.yaml contains template configuration parameters and their default values:

    #
    #   _values-tpl.yaml
    #
    #   cskygen template default values file
    #
    _tplname: k8s-cert-manager
    _tpldescription: x509 certificate management for Kubernetes
    _tplversion: 24-04-20
    #
    # Values to override
    #
    ## k8s cluster credentials kubeconfig file
    kubeconfig: config-k8s-mod
    namespace:
      ## k8s namespace name
      name: cert-manager
    letsencrypt:
      # Let's Encrypt will use this to contact you about expiring
      # certificates, and issues related to your account.
      email: certadmin@cskylab.net

    TL;DR

    • To deploy namespace and chart:
    # Pull charts to './charts/' directory
    ./csdeploy.sh -m pull-charts
    # Install  
    ./csdeploy.sh -m install
    # Check status
    ./csdeploy.sh -l
    • To deploy clusterissuers after install is completed:
    # Apply clusterissuers (after install is completed)
    ./csdeploy.sh -m apply-cliss

    Prerequisites

    • Administrative access to Kubernetes cluster.
    • Helm v3

    How-to guides

    Prepare clusterissuers manifests

    Clusterissuers manifest are applied by cs-deploy.sh script. All manifests files must follow the format name ./clusterissuer-*.yaml.

    Let's Encrypt clusterissuers

    Let's Encrypt clusterissuers are provided in two files:

    • Staging: clusterissuer-letsencrypt-staging.yaml
    • Production: clusterissuer-letsencrypt.yaml

    Review values and modify email if needed in both files.

    Private CA clusterissuers

    Private CA's clusterissuers manifests must include a TLS Secret manifest with public and private keys. Be sure to keep the private key safe and secret. Note that, like all secrets, data must be base64 encoded.

    You can obtain the base64 values tls.crt and tls.key from the private and public CA keys with the command:

    # Base64 encoding with single line format
    # Public key
    base64 -w 0 ca-test-internal.crt > ca-test-internal.crt.b64
    # Private key
    base64 -w 0 ca-test-internal.key > ca-test-internal.key.b64

    To prepare a private ./clusterissuer-*.yaml file, you can use the following example:

    # clusterissuer-ca-test-internal.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: ca-test-internal
      namespace: cert-manager
    type: kubernetes.io/tls
    data:
      tls.crt: LS0tLS1CRUdJTiBDRVJUSU.... # Copy value from ca-test-internal.crt.b64
      tls.key: LS0tLS1CRUdJTiBSU0EgUF.... # Copy value from ca-test-internal.key.b64
    ---
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: ca-test-internal
      namespace: cert-manager
    spec:
      ca:
        secretName: ca-test-internal

    NOTE: You must prepare your own Private CA Keys.

    Pull Charts

    To pull charts, change the repositories and charts needed in variable source_charts inside the script csdeploy.sh and run:

    # Pull charts to './charts/' directory
      ./csdeploy.sh -m pull-charts

    When pulling new charts, all the content of ./charts directory will be removed, and replaced by the new pulled charts.

    After pulling new charts redeploy the new versions with: ./csdeploy -m update.

    Install

    To create namespace and install chart:

      # Create namespace and install chart
        ./csdeploy.sh -m install

    CustomResourceDefinition resources are installed with the helm chart. You must uninstall the chart release with ./csdeploy.sh -m uninstall to appropriately remove these resources.

    Apply clusterissuers

    Chart installation process must be completed to apply clusterissuers. First time installation requires a while to create the neccesary resources.

    To apply clusterissuers:

      # Apply clusterissuers (after install is completed)
        ./csdeploy.sh -m apply-cliss

    Update

    To update chart settings, change values in the file values-cert-manager.yaml.

    Redeploy or upgrade the chart and apply clusterissuers manifests running:

      # Redeploy or upgrade chart and apply clusterissuers
        ./csdeploy.sh -m update

    Uninstall

    To delete clusterissuers, uninstall chart and remove namespace run:

      # Delete clusterissuers, uninstall chart and remove namespace
        ./csdeploy.sh -m uninstall

    This option removes CustomResourceDefinition resources appropriately from cluster and also removes the namespace.

    Remove

    This option is intended to use only to remove the namespace when chart deployment is failed. Otherwise, you must run ./csdeploy.sh -m uninstall.

    To remove namespace and all its contents run:

      # Remove namespace and all its contents
        ./csdeploy.sh -m remove

    Display status

    To display namespace, chart status and clusterissuers resources status run:

      # Display namespace status:
        csdeploy.sh -l

    Reference

    To learn more see:

    Helm charts and values

    ChartValues
    jetstack/cert-managervalues-cert-manager.yaml

    Scripts

    csdeploy

    Purpose:
      cert-manager kubernetes configuration.
    Usage:
      sudo csdeploy.sh [-l] [-m <execution_mode>] [-h] [-q]
    Execution modes:
      -l  [list-status]     - List current status.
      -m  <execution_mode>  - Valid modes are:
          [install]         - Create namespace and install chart.
          [apply-cliss]     - Apply clusterissuers (after install is completed).
          [update]          - Redeploy or upgrade chart and apply clusterissuers.
          [uninstall]       - Delete clusterissuers, uninstall chart and remove namespace.
          [remove]          - Remove namespace and all its contents.
    Options and arguments:  
      -h  Help
      -q  Quiet (Nonstop) execution.
    Examples:
      # Pull charts to './charts/' directory
        ./csdeploy.sh -m pull-charts
      # Create namespace and install chart
        ./csdeploy.sh -m install
      # Apply clusterissuers (after install is completed)
        ./csdeploy.sh -m apply-cliss
      # Redeploy or upgrade chart and apply clusterissuers
        ./csdeploy.sh -m update
      # Delete clusterissuers, uninstall chart and remove namespace
        ./csdeploy.sh -m uninstall
      # Remove namespace and all its contents
        ./csdeploy.sh -m remove
      # Display namespace and chart status:
        ./csdeploy.sh -l

    Tasks performed:

    ${execution_mode}TasksBlock / Description
    [pull-charts]Pull helm charts from repositories
    Clean ./charts directoryRemove all contents in ./charts directory.
    Pull helm chartsPull new charts according to sourced script in variable source_charts.
    Show chartsShow Helm charts pulled into ./charts directory.
    [install]Create namespace
    Create namespaceNamespace must be unique in cluster.
    [update][install]Deploy charts
    Deploy chartsDeploy all charts in ./charts directory with upgrade --install options.
    [update][apply-cliss]Apply clusterissuers
    Apply clusterissuersApply all clusterissuers manifests in the form clusterissuers-*.yaml.
    [uninstall]Uninstall charts
    Delete clusterissuersDelete all clusterissuers manifests in the form clusterissuers-*.yaml.
    Uninstall chartsUninstall all charts in ./charts directory.
    [uninstall][remove]Remove namespace
    Remove namespaceRemove namespace and all its objects.
    [install][update] [list-status]Display status information
    Display namespaceDisplay namespace and object status.
    Display clusterissuersDisplay clusterissuers status information.
    Display chartsCharts releases history information.

    Template values

    The following table lists template configuration parameters and their specified values, when machine configuration files were created from the template:

    ParameterDescriptionValues
    _tplnametemplate name{{ ._tplname }}
    _tpldescriptiontemplate description{{ ._tpldescription }}
    _tplversiontemplate version{{ ._tplversion }}
    kubeconfigkubeconfig file{{ .kubeconfig }}
    namespace.namenamespace name{{ .namespace.name }}
    letsencrypt.emailLet's Encrypt contact email{{ .letsencrypt.email }}

    License

    Copyright © 2021 cSkyLab.com ™

    Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.