Install cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.0
kubectl get pods --namespace cert-manager
Create issuer
cat <<EOF > staging-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
EOF
kubectl apply -f staging-issuer.yaml
kubectl describe clusterissuer letsencrypt-staging
Deploy a TLS Ingress Resource
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
annotations:
cert-manager.io/issuer: "letsencrypt-staging"
acme.cert-manager.io/http01-edit-in-place: "true"
[..]
spec:
tls:
- hosts:
- ingress-demo.example.com
secretName: ingress-demo-cert-secret
[...]
Verify
kubectl get certificate
kubectl describe certificate ingress-demo-cert-secret
kubectl describe secret ingress-demo-cert-secret
Switch to Let’s Encrypt Production
cat <<EOF > production-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
kubectl apply -f production-issuer.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo
annotations:
cert-manager.io/issuer: "letsencrypt-prod"
acme.cert-manager.io/http01-edit-in-place: "true"
[..]
spec:
tls:
- hosts:
- ingress-demo.example.com
secretName: ingress-demo-cert-secret
[...]