Deploy cert-manager¶
In this section you will deploy cert-manager. cert-manager is going to manage SSL certificates for you, either self-signed or issued by Let’s Encrypt.
Note
If you already have an SSL certificate you are managing yourself, you may proceed to the What’s Next section.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit
rok/cert-manager/cert-manager/overlays/deploy/kustomization.yaml
and enable both self-signed and Let’s Encrypt ClusterIssuers:resources: - cluster-issuer-self-signed.yaml - cluster-issuer-letsencrypt-prod.yamlEdit
rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml
to set a validemail
for your ACME account:spec: acme: email: user@example.com # <-- Update this line with a valid email addressCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Configure cert-manager"Install cert-manager resources along with the two ClusterIssuers:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/cert-manager/cert-manager/overlays/deploy
Verify¶
Verify that cert-manager is up-and-running. Check that field READY is 1/1 for the corresponding deployments:
root@rok-tools:~/ops/deployments# kubectl get deploy -n cert-manager NAME READY UP-TO-DATE AVAILABLE AGE cert-manager 1/1 1 1 1m cert-manager-cainjector 1/1 1 1 1m cert-manager-webhook 1/1 1 1 1mVerify that your ACME account was registered successfully by inspecting the status condition on the Let’s Encrypt ClusterIssuer:
root@rok-tools:~/ops/deployments# kubectl describe clusterissuer letsencrypt-prod ... Status: Acme: ... Conditions: ... Message: The ACME account was registered with the ACME server Reason: ACMEAccountRegistered Status: True Type: Ready