How to setup Cert-manager in your cluster

Introduction: As organisations started migrating their applications to Kubernetes, the need for secure communication becomes paramount. SSL/TLS certificates play a crucial role in ensuring encrypted and authenticated communication between services. However, managing certificates across multiple services and environments can be challenging. This is where Cert-Manager, a popular Kubernetes add-on, comes to the rescue. In this blog, we will explore what Cert-Manager is, its benefits, and provide step-by-step installation instructions to get you started.

What is Cert-Manager? Cert-Manager is an open-source certificate management tool specifically designed for Kubernetes. It automates the issuance, renewal, and revocation of SSL/TLS certificates, making the process seamless and hassle-free. With Cert-Manager, you can ensure that all your services are secured with valid certificates without manual intervention.

Benefits of Cert-Manager:

1. Automated Certificate Management: Cert-Manager automates the process of requesting, validating, and renewing certificates, saving significant time and effort for DevOps teams.
2. Integration with Let’s Encrypt: Cert-Manager seamlessly integrates with Let’s Encrypt, a free and widely trusted certificate authority, enabling you to obtain certificates without any additional cost.
3. Kubernetes Native: Cert-Manager follows the Kubernetes native approach, utilizing Custom Resource Definitions (CRDs) to manage certificates, making it a natural fit in your Kubernetes ecosystem.
4. Multiple Certificate Issuers: It supports various certificate issuers, such as Let’s Encrypt, self-signed certificates, and more, giving you the flexibility to choose the most suitable option for your requirements.
5. Ingress Controller Integration: Cert-Manager works seamlessly with popular Ingress controllers like Nginx, Traefik, and others, allowing easy certificate provisioning for your Kubernetes services.

Now, lets start with installation of Cert-Manager.

Installing Cert-Manager: Let’s dive into the step-by-step installation process for Cert-Manager:

Prerequisites: Before proceeding with the installation, ensure the following prerequisites are met:

1. A running Kubernetes cluster (1.16 or later).
2. kubectl command-line tool installed and configured to access your Kubernetes cluster.

Step 1: Install the Cert-Manager CRDs: The first step is to install the Custom Resource Definitions (CRDs) required by Cert-Manager. These CRDs define the necessary resources for managing certificates.

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.crds.yaml

Step 2: Add Cert-Manager Helm Repository: Cert-Manager can be easily installed using Helm, a package manager for Kubernetes.

helm repo add jetstack https://charts.jetstack.io
helm repo update

Step 3: To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command.

Uncomment the relevant line in the next steps to enable this.

Note that if you’re using a helm version based on Kubernetes v1.18 or below (Helm v3.2), installCRDs will not work with cert-manager v0.16

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.12.2 \
  # --set installCRDs=true

Step 4: Once this is installed, type below command to check in your cluster.

kubectl get cert-manager -n cert-manager

Step 5: Now to create secret, run the below file as yaml file.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: dikshant@test.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsZones:
          - "test.dikshant.com"
      dns01:
        route53:
          region: ap-south-1
          accessKeyID: "access key of custom AWS User"
          secretAccessKeySecretRef:
            name: aws-route53-secret-key
            key: secret.txt

Note: This is applicable if you have configured your DNS with Route 53. Otherwise, you need to add ACME to your respective DNS.

use this setup before running Step 5. This step is needed, just to avoid hardcoding secret directly.

echo ${AWS_SECRET_ACCESS_KEY} > password.txt  #use aws secret key 
kubectl create secret generic aws-route53-creds --from-file=secret.txt -n cert-manager
# This will setup a secret in cert-manager namespace with the following cred

Step 6: Now create a certificate that we will use in our Istio gateway.

You can use this secret if you are using different ingress controller.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-cert
  namespace: istio-system
spec:
  secretName: wildcard-cert-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: 'test.dikshant.com'  
  dnsNames:
    - 'test.dikshant.com'

Step 7: Now you can see a secret in istio-system namespace. Use that secret in your ingress to TLS. We are using Istio, so we will use that secret in our gateway.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-ingressgateway
  namespace: istio-system
spec:
  selector:
    istio: ingress # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
    tls:
        httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: https
    hosts:
    - "test.dikshant.com" #this will be your domain that you use in cert-manager
    tls:
      mode: SIMPLE
      credentialName: wildcard-cert-tls

Step 8: Verify the certificate.

Note: If you want to check the status of certificate being issues, then check with below command. If you see Ready as True, then certificate is issued.

kubectl get certificate -n istio-system

NAME            READY   SECRET              AGE
wildcard-cert   True    wildcard-cert-tls   2d3h

Conclusion:

Cert-Manager is a powerful tool that simplifies the management of SSL/TLS certificates in Kubernetes. By automating certificate provisioning and renewal, it ensures your applications communicate securely and reliably. In this blog, we covered the benefits of Cert-Manager and provided a step-by-step guide for its installation and usage. Implementing Cert-Manager in your Kubernetes cluster can significantly enhance your infrastructure’s security while reducing the operational burden on your DevOps team.

I hope this article was informative to you. I would like to hear your thoughts on this post. If you wish to share your opinion about this article, let’s connect and start a conversation on LinkedIn — Dikshant Rai.
You can buy me a coffee.