Deploy cert-manager¶
In this section you will deploy cert-manager. cert-manager is going to manage SSL certificates for you, either self-signed or issued by Let’s Encrypt.
Fast Forward
If you have already deployed cert-manager, for example, if you have exposed EKF, and want to expose Serving with the same NGINX used to expose EKF, proceed to the What’s Next section.
If you are going to use an already issued SSL certificate you are managing yourself, proceed to the What’s Next section.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit
rok/cert-manager/cert-manager/overlays/deploy/kustomization.yaml
and enable the necessary ClusterIssuers. Choose one of the following options, based on which NGINX you are using:resources: - cluster-issuer-self-signed.yaml - cluster-issuer-letsencrypt-prod.yaml - cluster-issuer-letsencrypt-prod-serving.yamlresources: - cluster-issuer-self-signed.yaml - cluster-issuer-letsencrypt-prod.yamlNote
We need a different ClusterIssuers because we want to use a different IngressClass in case Serving is exposed via a dedicated NGINX.
Set a valid
email
for your ACME account. Choose one of the following options, based on which NGINX you are using:Specify a valid email for your ACME account:
root@rok-tools:~/ops/deployments# export SERVING_ACME_ACCOUNT_EMAIL=<EMAIL>Replace
<EMAIL>
with a valid email address. For example:root@rok-tools:~/ops/deployments# export SERVING_ACME_ACCOUNT_EMAIL=user@example.comUpdate the Let’s Encrypt ClusterIssuer for Serving to use a valid email address:
root@rok-tools:~/ops/deployments# rok-j2 \ > rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod-serving.yaml.j2 > -o rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod-serving.yaml
Specify a valid email for your ACME account:
root@rok-tools:~/ops/deployments# export ACME_ACCOUNT_EMAIL=<EMAIL>Replace
<EMAIL>
with a valid email address. For example:root@rok-tools:~/ops/deployments# export ACME_ACCOUNT_EMAIL=user@example.comUpdate the Let’s Encrypt ClusterIssuer to use a valid email address:
root@rok-tools:~/ops/deployments# rok-j2 \ > rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml.j2 > -o rok/cert-manager/cert-manager/overlays/deploy/cluster-issuer-letsencrypt-prod.yaml
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Configure cert-manager"Install cert-manager resources along with the necessary ClusterIssuers:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/cert-manager/cert-manager/overlays/deploy
Verify¶
Verify that cert-manager is up-and-running. Check that field READY is 1/1 for the corresponding deployments:
root@rok-tools:~/ops/deployments# kubectl get deploy -n cert-manager NAME READY UP-TO-DATE AVAILABLE AGE cert-manager 1/1 1 1 1m cert-manager-cainjector 1/1 1 1 1m cert-manager-webhook 1/1 1 1 1mVerify that your ACME account was registered successfully by inspecting the status condition on the Let’s Encrypt ClusterIssuer. Choose one of the following options, based on which NGINX you are using:
root@rok-tools:~/ops/deployments# kubectl describe clusterissuer letsencrypt-prod-serving ... Status: Acme: ... Conditions: ... Message: The ACME account was registered with the ACME server Reason: ACMEAccountRegistered Status: True Type: Readyroot@rok-tools:~/ops/deployments# kubectl describe clusterissuer letsencrypt-prod ... Status: Acme: ... Conditions: ... Message: The ACME account was registered with the ACME server Reason: ACMEAccountRegistered Status: True Type: Ready