cert-manager

cert-manager is an automation tool to manage and issue TLS certificates from various issuing resources in a Kubernetes native way. It ensures that certificates are valid and attempts to renew them before expiry.

This package deploys cert-manager to be used with Let's Encrypt as the Certificate Authority.

Requirements

• Kubernetes 1.20 -> 1.25
• Kustomize >= v3.5.3

Image repository and tag

• Cert Manager image: quay.io/jetstack/cert-manager-controller:v1.10.0
• Cert Manager repo: https://github.com/jetstack/cert-manager
• Cert Manager documentation: https://cert-manager.io/docs/

Configuration

cert-manager is deployed with the following configuration:

• The default issuer kind is ClusterIssuer
• The default issuer is letsencrypt

Deployment

To deploy the cert-manager package:

1. Add the package to your bases inside the Furyfile.yml:

resources:
  - name: ingress/dual-nginx
    version: "v1.13.1"
  - name: ingress/cert-manager
    version: "v1.13.1"

2. Execute furyctl vendor -H to download the packages

3. Inspect the download packages under ./vendor/katalog/ingress/cert-manager.

4. Define a kustomization.yaml that includes the ./vendor/katalog/ingress/cert-manager directory as resource.

resources:
- ./vendor/katalog/ingress/cert-manager

For the dual-nginx you will need to patch the ClusterIssuer resource with the right ingress class:

---
patchesJson6902:
    - target:
          group: cert-manager.io
          version: v1
          kind: ClusterIssuer
          name: letsencrypt-staging
      path: patches/dual-nginx.yml
    - target:
          group: cert-manager.io
          version: v1
          kind: ClusterIssuer
          name: letsencrypt-prod
      path: patches/dual-nginx.yml

and in the patches/dual-nginx.yml:

---
- op: "replace"
  path: "/spec/acme/solvers/0/http01/ingress/class"
  value: "external"

5. Finally, execute the following command to deploy the package:

kustomize build . | kubectl apply -f -