The source code and default configuration of the Building Block is available in our code.sysEleven.de. For information on release notes and new features please follow the link: Release notes cert-manager
Cert-Manager is an addon to automate the managment and issuance of TLS certificates from a wide ranges of sources.
A recommended resource overview is listed in the table below.
CPU / vCPU | Memory |
---|---|
0.22 | 448MiB |
No further activities need to be carried out in advance.
Add the directory syseleven-cert-manager
to your control repository. Add a .gitlab-ci.yml
to the directory with the following content:
include:
- project: syseleven/building-blocks/helmfiles/cert-manager
file: JobDevelopment.yaml
ref: 9.1.0
- project: syseleven/building-blocks/helmfiles/cert-manager
file: JobStaging.yaml
ref: 9.1.0
- project: syseleven/building-blocks/helmfiles/cert-manager
file: JobProduction.yaml
ref: 9.1.0
Remove environments you are not using by removing their include.
Strictly speaking, no configuration is required to deploy this Building Block. But we strongly recommend configuring an ACME account email address. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails.
values-cert-manager-extension.yaml
or values-cert-manager-extension-$ENVIRONMENT.yaml
:
email: letsencrypt@example.org
You need to add one of two annotations to your ingress and configure the TLS section:
cert-manager.io/cluster-issuer: "letsencrypt-production"
to get a valid certificate from Let's Encrypt.cert-manager.io/cluster-issuer: "letsencrypt-staging"
to get a certificate from Let’s Encrypts staging CA. This certificate will not be accepted by tooling and browsers. Use it only for testing purposes.Your ingress needs a spec.tls
section. An example:
tls:
- hosts:
- subdomain.example.com
secretName: subdomain.example.com-tls
Notes:
secretName
so that cert-manager knows where to save the certificate and the ingress-controller knows which certificate to use. The secret does not need to exist beforehand as it automatically will get generated by cert-manager.If you use our SysEleven Stack DNSaaS, the relevant configuration for DNS challenges is already included by default.
To use the DNS challenge add the following label to your Ingress/Certificate:
If you want to use another DNSaaS provider please consult the cert-manager upstream documentation.
You need to add the configuration for the provider to the values-cert-manager-extension.yaml
like:
solvers:
- dns01:
route53:
region: eu-central-1
accessKeyID: <Access ID for less-privileged.example.org here>
hostedZoneID: <Zone ID for less-privileged.example.org here>
secretAccessKeySecretRef:
<Secret name where the SecretAccessKey is stored>
selector:
matchLabels:
# Define label for dns challenge to be able to match the certificate
cert-manager.io/solver: dns01
In this case you do not need the designate-webhook
. To disable the installation of it just add the environment variable RELEASE_DESIGNATE_CERTMANAGER_WEBHOOK_ENABLED=false
To make the following example work you need to use the SysEleven DNSaaS to configure your DNS record.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
# Use acme/solver: dns01 defined in ClusterIssuer: letsencrypt-production.
cert-manager.io/solver: dns01
name: test-certificate
namespace: syseleven-cert-manager
spec:
dnsNames:
- test-certificate.<customerdomain>.de
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-production
# Store the certificate as secret named testdomain-cert-secret in namespace: syseleven-cert-manager
secretName: test-certificate-secret
Issuing the certificate can take a few minutes. Please check regularly with the following command:
kubectl describe certificate -n syseleven-cert-manager test-certificate
or
kubectl get -n syseleven-cert-manager secret test-certificate-secret -o jsonpath='{.data.tls\.crt}'| base64 -d -| openssl x509 -dates -subject -noout
To remove the example again, the following resources must be removed:
kubectl delete certificate -n syseleven-cert-manager test-certificate
kubectl delete secret -n syseleven-cert-manager test-certificate-secret
This building block consists of multiple components. Each of the components can and must be scaled individually.
Please find more information on release notes and new features Release notes Cert-Manager