cert-manager/releases/tag/v1.10.0
# Download the yaml
╰─ wget https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
╰─ ls
ReadMe.md cert-manager.yaml
╰─ cat cert-manager.yaml| wc -l
5518
- Deploy cert-manager
╰─ kubectl apply -f cert-manager.yaml
# Did it work or what ?
╰─ kubectl get all -n cert-manager
NAME READY STATUS RESTARTS AGE
pod/cert-manager-6dc4964c9-jd6mq 1/1 Running 0 7m57s
pod/cert-manager-cainjector-69d4647c6-mhvvf 1/1 Running 0 7m57s
pod/cert-manager-webhook-75f77865c8-52jk4 1/1 Running 0 7m57s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.96.236.95 <none> 9402/TCP 7m57s
service/cert-manager-webhook ClusterIP 10.96.250.149 <none> 443/TCP 7m57s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 7m57s
deployment.apps/cert-manager-cainjector 1/1 1 1 7m57s
deployment.apps/cert-manager-webhook 1/1 1 1 7m57s
NAME DESIRED CURRENT READY AGE
replicaset.apps/cert-manager-6dc4964c9 1 1 1 7m57s
replicaset.apps/cert-manager-cainjector-69d4647c6 1 1 1 7m57s
replicaset.apps/cert-manager-webhook-75f77865c8 1 1 1 7m57s
# Okay it did
You can download the ingress controller from ingress-nginx/releases/tag/controller-v1.4.0
# Deploy from downloaded dir
╰─ ls
ReadMe.md cert-manager.yaml ingress-nginx-controller-v1.4.0 ingress-nginx-controller-v1.4.0.zip
╰─ find . -name deploy.yaml | grep cloud
./ingress-nginx-controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml
# The same file is also available as raw content https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml
╰─ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml
## See if its working
╰─ kubectl get all -n ingress-nginx
NAME READY STATUS RESTARTS AGE
pod/ingress-nginx-admission-create-7blsw 0/1 Completed 0 2m18s
pod/ingress-nginx-admission-patch-58bm7 0/1 Completed 0 2m18s
pod/ingress-nginx-controller-7844b9db77-kptln 1/1 Running 0 2m18s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx-controller LoadBalancer 10.96.54.164 <pending> 80:32367/TCP,443:31957/TCP 2m18s
service/ingress-nginx-controller-admission ClusterIP 10.96.13.5 <none> 443/TCP 2m18s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/ingress-nginx-controller 1/1 1 1 2m18s
NAME DESIRED CURRENT READY AGE
replicaset.apps/ingress-nginx-controller-7844b9db77 1 1 1 2m18s
NAME COMPLETIONS DURATION AGE
job.batch/ingress-nginx-admission-create 1/1 18s 2m18s
job.batch/ingress-nginx-admission-patch 1/1 19s 2m18s
$ kubectl get svc
ingress-nginx ingress-nginx-controller LoadBalancer 10.48.14.196 34.66.238.103 80:31487/TCP,443:30253/TCP 62s
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.48.7.20 <none> 443/TCP
# Let's bind this IP with our domain
$ nslookup testcertmanager.ankitrathi.info
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: testcertmanager.ankitrathi.info
Address: 34.66.238.103
cert-manager.io/docs/configuration/acme/
- Apply the changes
╰─ kubectl apply -f cluster-issuer.yaml
clusterissuer.cert-manager.io/letsencrypt-staging created
╰─ kubectl get ClusterIssuer
NAME READY AGE
letsencrypt-staging False 53s
## Make sure you change with a valid email address
╰─ cat cluster-issuer.yaml| grep email
# You must replace this email address with your own.
email: [email protected]
- Let's deploy a sample application like traefik/whoami
╰─ kubectl apply -f dep-whoami.yaml
deployment.apps/whoami created
╰─ kubectl get pods
NAME READY STATUS RESTARTS AGE
whoami-5dfdf459f4-4nzcd 1/1 Running 0 64s
╰─ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
whoami 1/1 1 1 3m7s
- Let's expose the dep using a svc
$ kubectl apply -f svc.yaml
service/whoami created
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.48.0.1 <none> 443/TCP 50m
whoami NodePort 10.48.3.74 <none> 80:32210/TCP 35s
- Create Ingress
configuration/ingress-resources/basic-configuration
- Without
tls
section enabled
$ kubectl apply -f ingress.yaml
ingress.networking.k8s.io/whoami-ingress created
cert-manager.io/docs/concepts/certificate
$ kubectl apply -f certificate.yaml
$ kubectl get certificate
NAME READY SECRET AGE
acme-crt False tls-secret 14s
$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
cm-acme-http-solver-7qlr4 <none> testcertmanager.ankitrathi.info 34.66.238.103 80 16s
whoami-ingress <none> testcertmanager.ankitrathi.info 34.66.238.103 80, 443 83s
$ kubectl describe ingress cm-acme-http-solver-7qlr4
Name: cm-acme-http-solver-7qlr4
Labels: acme.cert-manager.io/http-domain=3409775745
acme.cert-manager.io/http-token=1157435119
acme.cert-manager.io/http01-solver=true
Namespace: default
Address: 34.66.238.103
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
testcertmanager.ankitrathi.info
/.well-known/acme-challenge/jfTh_C4Dr_l-n6UUZUUzYkpU32xSJS-xFpzbWn6oYKw cm-acme-http-solver-fhkr2:8089 (10.44.0.17:8089)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 21s (x2 over 23s) nginx-ingress-controller Scheduled for sync
$ kubectl get certificate
NAME READY SECRET AGE
acme-crt True tls-secret 48s
- Curl req
$ curl -v https://testcertmanager.ankitrathi.info/test
* Trying 34.66.238.103:443...
* Connected to testcertmanager.ankitrathi.info (34.66.238.103) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=testcertmanager.ankitrathi.info
* start date: Nov 6 12:53:49 2022 GMT
* expire date: Feb 4 12:53:48 2023 GMT
* subjectAltName: host "testcertmanager.ankitrathi.info" matched cert's "testcertmanager.ankitrathi.info"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5640b2aaa2c0)
> GET /test HTTP/2
> Host: testcertmanager.ankitrathi.info
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Sun, 06 Nov 2022 13:59:33 GMT
< content-type: text/plain; charset=utf-8
< content-length: 443
< strict-transport-security: max-age=15724800; includeSubDomains
<
Hostname: whoami-5b69cdcd49-dppb4
IP: 127.0.0.1
IP: 10.44.0.16
RemoteAddr: 10.44.0.15:58034
GET /test HTTP/1.1
Host: testcertmanager.ankitrathi.info
User-Agent: curl/7.74.0
Accept: */*
X-Forwarded-For: 35.204.200.191
X-Forwarded-Host: testcertmanager.ankitrathi.info
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Scheme: https
X-Real-Ip: 35.204.200.191
X-Request-Id: 8721f6ff5af0e5ade81015554ef8f443
X-Scheme: https
* Connection #0 to host testcertmanager.ankitrathi.info left intact
- Browser Req