In this section you will deploy cert-manager. cert-manager is going to manage SSL certificates for you, either self-signed or issued by Let’s Encrypt.
If you already have an SSL certificate you are managing yourself, you may proceed to the What’s Next section.
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deployments
Specify a valid email for your ACME account:root@rok-tools:~/ops/deployments# export ACME_ACCOUNT_EMAIL=<EMAIL>
<EMAIL>with a valid email address. For example:root@rok-tools:~/ops/deployments# export ACME_ACCOUNT_EMAILfirstname.lastname@example.org
Update the Let’s Encrypt ClusterIssuer to use a valid email address:root@rok-tools:~/ops/deployments# rok-j2 \ > rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml.j2 > -o rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml
rok/cert-manager/cert-manager/overlays/deploy/kustomization.yamland enable both self-signed and Let’s Encrypt ClusterIssuers:resources: - cluster-issuer-self-signed.yaml - cluster-issuer-letsencrypt-prod.yaml
Commit your changes:root@rok-tools:~/ops/deployments# git commit -am "Configure cert-manager"
Install cert-manager resources along with the two ClusterIssuers:root@rok-tools:~/ops/deployments# rok-deploy --apply rok/cert-manager/cert-manager/overlays/deploy
Verify that cert-manager is up-and-running. Check that field READY is 1/1 for the corresponding deployments:root@rok-tools:~/ops/deployments# kubectl get deploy -n cert-manager NAME READY UP-TO-DATE AVAILABLE AGE cert-manager 1/1 1 1 1m cert-manager-cainjector 1/1 1 1 1m cert-manager-webhook 1/1 1 1 1m
Verify that your ACME account was registered successfully by inspecting the status condition on the Let’s Encrypt ClusterIssuer:root@rok-tools:~/ops/deployments# kubectl describe clusterissuer letsencrypt-prod ... Status: Acme: ... Conditions: ... Message: The ACME account was registered with the ACME server Reason: ACMEAccountRegistered Status: True Type: Ready
You have successfully installed cert-manager and configured it with a self-signed and a Let’s Encrypt ClusterIssuer.
The next step is to expose Istio, our service mesh.