In this section you will deploy cert-manager. cert-manager is going to manage SSL certificates for you, either self-signed or issued by Let’s Encrypt.
If you already have an SSL certificate you are managing yourself, you may proceed to the What’s Next section.
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deployments
Specify a valid email for your ACME account:root@rok-tools:~/ops/deployments# export ACME_ACCOUNT_EMAIL=<EMAIL>
<EMAIL>with a valid email address. For example:root@rok-tools:~/ops/deployments# export ACME_ACCOUNT_EMAILemail@example.com
Update the Let’s Encrypt ClusterIssuer to use a valid email address:root@rok-tools:~/ops/deployments# rok-j2 \ > rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml.j2 > -o rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml
rok/cert-manager/cert-manager/overlays/deploy/kustomization.yamland enable both self-signed and Let’s Encrypt ClusterIssuers:resources: - cluster-issuer-self-signed.yaml - cluster-issuer-letsencrypt-prod.yaml
Commit your changes:root@rok-tools:~/ops/deployments# git commit -am "Configure cert-manager"
Install cert-manager resources along with the two ClusterIssuers:root@rok-tools:~/ops/deployments# rok-deploy --apply rok/cert-manager/cert-manager/overlays/deploy
Verify that cert-manager is up-and-running. Check that field READY is 1/1 for the corresponding deployments:root@rok-tools:~/ops/deployments# kubectl get deploy -n cert-manager NAME READY UP-TO-DATE AVAILABLE AGE cert-manager 1/1 1 1 1m cert-manager-cainjector 1/1 1 1 1m cert-manager-webhook 1/1 1 1 1m
Verify that your ACME account was registered successfully by inspecting the status condition on the Let’s Encrypt ClusterIssuer:root@rok-tools:~/ops/deployments# kubectl describe clusterissuer letsencrypt-prod ... Status: Acme: ... Conditions: ... Message: The ACME account was registered with the ACME server Reason: ACMEAccountRegistered Status: True Type: Ready
You have successfully installed cert-manager and configured it with a self-signed and a Let’s Encrypt ClusterIssuer.