Deploy cert-manager

In this section you will deploy cert-manager. cert-manager is going to manage SSL certificates for you, either self-signed or issued by Let’s Encrypt.

Note

If you already have an SSL certificate you are managing yourself, you may proceed to the What’s Next section.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Install cert-manager resources in the kube-system namespace:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/cert-manager/cert-manager-kube-system-resources/overlays/deploy
    
  3. Edit rok/cert-manager/cert-manager/overlays/deploy/kustomization.yaml and enable both self-signed and Let’s Encrypt ClusterIssuers:

    resources:
    - cluster-issuer-self-signed.yaml
    - cluster-issuer-letsencrypt-prod.yaml
    
  4. Edit rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml to set a valid email for your ACME account:

    spec:
      acme:
        email: user@example.com  # <-- Update this line with a valid email address
    
  5. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Configure cert-manager"
    
  6. Install cert-manager resources along with the two ClusterIssuers:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/cert-manager/cert-manager/overlays/deploy
    

Verify

  1. Verify that cert-manager is up-and-running. Check that field READY is 1/1 for the corresponding deployments:

    root@rok-tools:~/ops/deployments# kubectl get deploy -n cert-manager
    NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
    cert-manager              1/1     1            1           1m
    cert-manager-cainjector   1/1     1            1           1m
    cert-manager-webhook      1/1     1            1           1m
    
  2. Verify that your ACME account was registered successfully by inspecting the status condition on the Let’s Encrypt ClusterIssuer:

    root@rok-tools:~/ops/deployments# kubectl describe clusterissuer letsencrypt-prod
    ...
    Status:
      Acme:
        ...
      Conditions:
        ...
        Message:               The ACME account was registered with the ACME server
        Reason:                ACMEAccountRegistered
        Status:                True
        Type:                  Ready
    

Summary

You have successfully installed cert-manager and configured it with a self-signed and a Let’s Encrypt ClusterIssuer.

What’s Next

The next step is to expose Istio, our service mesh.