Helm/Cert Manager: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{|class='wikitable' style='width:100%;margin:-11px 0 6px 0' | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
helm repo add jetstack https://charts.jetstack.io | |||
helm repo update && helm repo list | |||
kubectl config get-contexts | |||
</syntaxhighlight> | |||
|} | |||
==Config== | ==Config== | ||
<syntaxhighlight lang= | {|class='wikitable' style='width:100%;margin:3px 0' | ||
!scope='col' style='text-align:left'| | |||
Config | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml" | export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml" | ||
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml" | export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml" | ||
export KUBECONFIG="${HOME}/.kube/config" | export KUBECONFIG="${HOME}/.kube/config" | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==Install== | ==Install== | ||
{| | {|class='wikitable' style='width:100%;margin:3px 0' | ||
!scope='col' style='text-align:left'| | |||
Install | |||
|- | |||
|valign='top'| | |valign='top'| | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0' lang='yaml'> | ||
kubectl create | kubectl create ns cert-manager|true | ||
kubectl get ns|cert-manager | |||
helm show values jetstack/cert-manager --version v1.15.1|less | helm show values jetstack/cert-manager --version v1.15.1|less | ||
cat <<YML | helm | helm show values jetstack/cert-manager --version v1.19.1|less | ||
cat <<'YML' | \ | |||
helm -n=cert-manager upgrade --install cert-manager jetstack/cert-manager --version=v1.19.1 -f - | |||
--- | |||
crds: | crds: | ||
enabled: true | enabled: true | ||
| Line 30: | Line 51: | ||
==Uninstall== | ==Uninstall== | ||
<syntaxhighlight lang= | {|class='wikitable' style='width:100%;margin:3px 0' | ||
!scope='col' style='text-align:left'| | |||
Uninstall | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
helm uninstall -n cert-manager cert-manager | helm uninstall -n cert-manager cert-manager | ||
kubectl delete namespace cert-manager | kubectl delete namespace cert-manager | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==Cluster Issuer » Let's Encrypt== | ==Cluster Issuer » Let's Encrypt== | ||
<syntaxhighlight lang= | {|class='wikitable' style='width:100%;margin:3px 0' | ||
cat << YML | kubectl apply -f - | !scope='col' style='text-align:left'| | ||
Cluster Issuer » Let's Encrypt | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl apply -f - | |||
--- | |||
apiVersion: cert-manager.io/v1 | |||
kind: ClusterIssuer | |||
metadata: | |||
name: letsencrypt-staging | |||
spec: | |||
acme: | |||
server: https://acme-staging-v02.api.letsencrypt.org/directory | |||
email: tool.tech@shahed.biz | |||
privateKeySecretRef: | |||
name: letsencrypt-staging-ac-key | |||
solvers: | |||
- http01: | |||
ingress: | |||
class: nginx | |||
--- | |||
apiVersion: cert-manager.io/v1 | apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | kind: ClusterIssuer | ||
| Line 45: | Line 95: | ||
acme: | acme: | ||
server: https://acme-v02.api.letsencrypt.org/directory | server: https://acme-v02.api.letsencrypt.org/directory | ||
email: | email: tool.tech@shahed.biz | ||
privateKeySecretRef: | privateKeySecretRef: | ||
name: letsencrypt-prod | name: letsencrypt-prod-ac-key | ||
solvers: | solvers: | ||
- http01: | |||
ingress: | |||
class: nginx | |||
YML | YML | ||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
kubectl get clusterissuer | kubectl get clusterissuer | ||
kubectl get clusterissuer letsencrypt-staging -o=yaml|yq -P | |||
kubectl get clusterissuer letsencrypt-prod -o=yaml|yq -P | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==Cluster Issuer » Self Signed== | ==Cluster Issuer » Self Signed== | ||
<syntaxhighlight lang= | {|class='wikitable mw-collapsible' style='width:100%;margin:3px 0' | ||
cat << YML | kubectl apply -f - | !scope='col' style='text-align:left'| | ||
Cluster Issuer » Self Signed | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl apply -f - | |||
--- | |||
apiVersion: cert-manager.io/v1 | apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | kind: ClusterIssuer | ||
metadata: | metadata: | ||
name: selfsigned- | name: selfsigned-cert-signer | ||
spec: | spec: | ||
selfSigned: {} | selfSigned: {} | ||
YML | YML | ||
kubectl get clusterissuer | kubectl get clusterissuer | ||
kubectl get clusterissuer selfsigned-cert-signer -o=yaml|yq -P | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==Cert Manager » Webhook » Fixes== | |||
{|class='wikitable mw-collapsible' style='width:100%;margin:3px 0' | |||
!scope='col' style='text-align:left'| | |||
Cert Manager » Rollout | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
kubectl -n cert-manager rollout restart deployment cert-manager | |||
kubectl -n cert-manager rollout restart deployment cert-manager-webhook | |||
kubectl -n cert-manager rollout restart deployment cert-manager-cainjector | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
kubectl -n cert-manager delete secret cert-manager-webhook-ca | |||
kubectl -n cert-manager rollout restart deployment cert-manager-webhook | |||
kubectl get ValidatingWebhookConfiguration cert-manager-webhook | |||
</syntaxhighlight> | |||
|} | |||
==Playground== | ==Playground== | ||
{| | {|class='wikitable mw-collapsible' style='width:100%;margin:3px 0' | ||
| colspan= | !scope='col' style='text-align:left' colspan='2'| | ||
<syntaxhighlight lang= | Playground | ||
|- | |||
|valign='top' colspan='2'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
helm install -n cert-manager cert-manager jetstack/cert-manager --version v1.14.7 | helm install -n cert-manager cert-manager jetstack/cert-manager --version v1.14.7 | ||
helm upgrade -n cert-manager -i cert-manager jetstack/cert-manager --version v1.15.1 | helm upgrade -n cert-manager -i cert-manager jetstack/cert-manager --version v1.15.1 | ||
helm show values jetstack/cert-manager --version v1.15.1|less | helm show values jetstack/cert-manager --version v1.15.1|less | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
| colspan= | |valign='top' colspan='2'| | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0' lang='bash'> | ||
export CERT_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=cert-manager' -o json|jq -r '.items[0].metadata.name') | export CERT_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=cert-manager' -o json|jq -r '.items[0].metadata.name') | ||
export CA_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=cainjector' -o json|jq -r '.items[0].metadata.name') | export CA_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=cainjector' -o json|jq -r '.items[0].metadata.name') | ||
| Line 93: | Line 179: | ||
kubectl -n cert-manager exec -it ${CERT_POD_NAME} -- bash | kubectl -n cert-manager exec -it ${CERT_POD_NAME} -- bash | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
| | |valign='top' colspan='2'| | ||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
<syntaxhighlight lang= | |||
kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten | kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten | ||
kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten | kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten | ||
| Line 105: | Line 187: | ||
kubectl config --kubeconfig=${HOME}/.kube/config view --flatten | kubectl config --kubeconfig=${HOME}/.kube/config view --flatten | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
|valign='top' style='width:50%'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
| valign= | |||
<syntaxhighlight lang= | |||
kubectl delete all --all -n cert-manager | kubectl delete all --all -n cert-manager | ||
kubectl delete ing --all -n cert-manager | kubectl delete ing --all -n cert-manager | ||
| Line 117: | Line 195: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign= | |valign='top' style='width:50%'| | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0' lang='bash'> | ||
kubectl delete svc --all -n cert-manager | kubectl delete svc --all -n cert-manager | ||
kubectl delete pvc --all -n cert-manager | kubectl delete pvc --all -n cert-manager | ||
kubectl delete pv --all -n cert-manager | kubectl delete pv --all -n cert-manager | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
|valign='top'| | |||
<syntaxhighlight style='margin:3px 0' lang='bash'> | |||
| valign= | |||
<syntaxhighlight lang= | |||
kubectl rollout -n cert-manager history deploy cert-manager | kubectl rollout -n cert-manager history deploy cert-manager | ||
kubectl rollout -n cert-manager restart deploy cert-manager | kubectl rollout -n cert-manager restart deploy cert-manager | ||
| Line 135: | Line 209: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign= | |valign='top'| | ||
<syntaxhighlight lang= | <syntaxhighlight style='margin:3px 0' lang='bash'> | ||
kubectl logs -n cert-manager -f ${CERT_POD_NAME} | kubectl logs -n cert-manager -f ${CERT_POD_NAME} | ||
kubectl logs -n cert-manager -f ${HOOK_POD_NAME} | kubectl logs -n cert-manager -f ${HOOK_POD_NAME} | ||
| Line 145: | Line 219: | ||
==References== | ==References== | ||
{| | {|class='wikitable mw-collapsible' style='width:100%;margin:3px 0' | ||
| valign= | !scope='col' style='text-align:left' colspan='3'| | ||
References | |||
|- | |||
|valign='top' style='width:33%'| | |||
* [https://docs.bitnami.com/kubernetes/infrastructure/cert-manager/configuration/generate-self-signed-certificates/ Helm » Bitnami » Self Signed Certificates] | * [https://docs.bitnami.com/kubernetes/infrastructure/cert-manager/configuration/generate-self-signed-certificates/ Helm » Bitnami » Self Signed Certificates] | ||
* [https://docs.bitnami.com/kubernetes/infrastructure/cert-manager/configuration/generate-acme-certificates/ Helm » Bitnami » ACME TLS Certificates] | * [https://docs.bitnami.com/kubernetes/infrastructure/cert-manager/configuration/generate-acme-certificates/ Helm » Bitnami » ACME TLS Certificates] | ||
| Line 155: | Line 231: | ||
* [[Helm]] | * [[Helm]] | ||
| valign= | |valign='top' style='width:34%'| | ||
| valign= | |valign='top' style='width:33%'| | ||
|- | |- | ||
|valign='top'| | |||
| valign= | |||
* [https://heksahiti.medium.com/install-cert-manager-with-helm-and-automate-the-certificate-issue-and-renewal-process-in-a-k8s-7f6455416521 Cert Manager » Install & Automate The Renewal] | * [https://heksahiti.medium.com/install-cert-manager-with-helm-and-automate-the-certificate-issue-and-renewal-process-in-a-k8s-7f6455416521 Cert Manager » Install & Automate The Renewal] | ||
* [https://medium.com/@tamerbenhassan/secure-your-kubernetes-ingress-with-tls-a-comprehensive-guide-47e315f5c517 Cert Manager » Secure Your Ingress with TLS] | |||
* [https://cert-manager.io/docs/usage/ingress/ Cert Manager » Annotated Ingress resource] | * [https://cert-manager.io/docs/usage/ingress/ Cert Manager » Annotated Ingress resource] | ||
* [https://cert-manager.io/docs/configuration/acme/http01/ Cert Manager » ACME » HTTP01] | * [https://cert-manager.io/docs/configuration/acme/http01/ Cert Manager » ACME » HTTP01] | ||
| Line 172: | Line 246: | ||
* [https://cert-manager.io/docs/usage/certificate/ Cert Manager] | * [https://cert-manager.io/docs/usage/certificate/ Cert Manager] | ||
| valign= | |valign='top'| | ||
| valign= | |valign='top'| | ||
|- | |- | ||
|valign='top'| | |||
| valign= | |||
* [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ K8s » Configure Service Accounts for Pods] | * [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ K8s » Configure Service Accounts for Pods] | ||
* [https://spacelift.io/blog/restart-kubernetes-pods-with-kubectl K8s » Restart Pods With Kubectl] | * [https://spacelift.io/blog/restart-kubernetes-pods-with-kubectl K8s » Restart Pods With Kubectl] | ||
| Line 192: | Line 263: | ||
* [[K8s]] | * [[K8s]] | ||
| valign= | |valign='top'| | ||
* [https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#use-uid_create-images K8s » OpenShift » Arbitrary User Ids] | * [https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#use-uid_create-images K8s » OpenShift » Arbitrary User Ids] | ||
* [https://cert-manager.io/docs/reference/cmctl/ K8s » Helm » Cert Manager » CLI] | * [https://cert-manager.io/docs/reference/cmctl/ K8s » Helm » Cert Manager » CLI] | ||
| Line 198: | Line 269: | ||
* [https://kubernetes.io/docs/reference/kubectl/generated/kubectl_rollout/ K8s » <code>kubectl rollout</code>] | * [https://kubernetes.io/docs/reference/kubectl/generated/kubectl_rollout/ K8s » <code>kubectl rollout</code>] | ||
| valign= | |valign='top'| | ||
|} | |} | ||
Latest revision as of 13:32, 26 December 2025
helm repo add jetstack https://charts.jetstack.io
helm repo update && helm repo list
kubectl config get-contexts
|
Config
|
Config |
|---|
export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"
|
Install
|
Install |
|---|
kubectl create ns cert-manager|true
kubectl get ns|cert-manager
helm show values jetstack/cert-manager --version v1.15.1|less
helm show values jetstack/cert-manager --version v1.19.1|less
cat <<'YML' | \
helm -n=cert-manager upgrade --install cert-manager jetstack/cert-manager --version=v1.19.1 -f -
---
crds:
enabled: true
ingressShim:
defaultIssuerName: letsencrypt-prod
defaultIssuerKind: ClusterIssuer
prometheus:
enabled: false
webhook:
timeoutSeconds: 30
YML
|
Uninstall
|
Uninstall |
|---|
helm uninstall -n cert-manager cert-manager
kubectl delete namespace cert-manager
|
Cluster Issuer » Let's Encrypt
|
Cluster Issuer » Let's Encrypt |
|---|
cat <<'YML' | \
kubectl apply -f -
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: tool.tech@shahed.biz
privateKeySecretRef:
name: letsencrypt-staging-ac-key
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: tool.tech@shahed.biz
privateKeySecretRef:
name: letsencrypt-prod-ac-key
solvers:
- http01:
ingress:
class: nginx
YML
|
kubectl get clusterissuer
kubectl get clusterissuer letsencrypt-staging -o=yaml|yq -P
kubectl get clusterissuer letsencrypt-prod -o=yaml|yq -P
|
Cluster Issuer » Self Signed
|
Cluster Issuer » Self Signed |
|---|
cat <<'YML' | \
kubectl apply -f -
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cert-signer
spec:
selfSigned: {}
YML
kubectl get clusterissuer
kubectl get clusterissuer selfsigned-cert-signer -o=yaml|yq -P
|
Cert Manager » Webhook » Fixes
|
Cert Manager » Rollout |
|---|
kubectl -n cert-manager rollout restart deployment cert-manager
kubectl -n cert-manager rollout restart deployment cert-manager-webhook
kubectl -n cert-manager rollout restart deployment cert-manager-cainjector
|
kubectl -n cert-manager delete secret cert-manager-webhook-ca
kubectl -n cert-manager rollout restart deployment cert-manager-webhook
kubectl get ValidatingWebhookConfiguration cert-manager-webhook
|
Playground
|
Playground | |
|---|---|
helm install -n cert-manager cert-manager jetstack/cert-manager --version v1.14.7
helm upgrade -n cert-manager -i cert-manager jetstack/cert-manager --version v1.15.1
helm show values jetstack/cert-manager --version v1.15.1|less
| |
export CERT_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=cert-manager' -o json|jq -r '.items[0].metadata.name')
export CA_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=cainjector' -o json|jq -r '.items[0].metadata.name')
export HOOK_POD_NAME=$(kubectl -n cert-manager get pod -l 'app.kubernetes.io/name=webhook' -o json|jq -r '.items[0].metadata.name')
kubectl exec -n cert-manager -it svc/cert-manager-webhook -c cert-manager-webhook -- bash
kubectl exec -n cert-manager -it svc/cert-manager -c cert-manager-controller -- bash
kubectl exec -n cert-manager -it svc/cert-manager -c init -- bash
kubectl -n cert-manager exec -it ${CERT_POD_NAME} -- bash
| |
kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/gcp-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/config view --flatten
| |
kubectl delete all --all -n cert-manager
kubectl delete ing --all -n cert-manager
kubectl delete sts --all -n cert-manager
|
kubectl delete svc --all -n cert-manager
kubectl delete pvc --all -n cert-manager
kubectl delete pv --all -n cert-manager
|
kubectl rollout -n cert-manager history deploy cert-manager
kubectl rollout -n cert-manager restart deploy cert-manager
kubectl rollout -n cert-manager status deploy cert-manager
|
kubectl logs -n cert-manager -f ${CERT_POD_NAME}
kubectl logs -n cert-manager -f ${HOOK_POD_NAME}
kubectl logs -n cert-manager -f ${CA_POD_NAME}
|
References
|
References | ||
|---|---|---|