In this article, I’ll shortly describe how to get an SSL certificate with HTTP01 validation and a wildcard certificate with DNS01 validation on AWS example.
So we already have some ingress and HELM for our k8s cluster, and we want to get some certs for domain dummy.example.com
.
Let’s install cert-manager using HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
If you prefer to use the latest chart version for cert-manager you can follow the instructions here.
For issuing some certificates we need to have at least one Issuer or ClusterIssuer. The difference between them that Issuer works only inside one namespace, unlike ClusterIssuer which works globally for the cluster.
Let’s create ClusterIssuer:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: devops@example.com
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOF
What’s there:
le-clusteissuer
— ClusterIssuer namedevops@example.com
— mailbox for receiving emails from Let’s Encrypthttp01: {}
— validation methodAfter creating ClusterIssuer we can check the status:
kubectl describe clusterissuer le-clusterissuer -n kube-system | egrep "Status|Message"
Status:
Message: The ACME account was registered with the ACME server
Status: True
So now we have ClusterIssuer, and we can create new certificates.
#aws #kubernetes #lets-encrypt #cert-manager #ssl