Jetstack Cert-Manager

Jetstack Cert-Manager

December 2, 2019 0 By Eric Shanks

One of my least favorite parts of computers is dealing with certificate creation. In fact, ya know those tweets about what you’d tweet if you were kidnapped and didn’t want to tip off the kidnapers?

Yeah, I’d tweet about how I love working with certificates. They are just not a fun thing for me. So when I found a new project where I needed certificates created, I was not really excited.

What I found though, was a neat little project called jetstack cert-manager, that will automatically create and apply certificates to Kubernetes resources and it was really simple to setup and use.

Overview

Cert-manager is a Kubernetes add on that works with a variety of issuers including Hashicorp Vault and LetsEncrypt Certificate Authorities. You can use this to create your own certificates by issuing kubectl commands, but an even more powerful way to use it is to have it automatically create certificates when an ingress resource is deployed.

When a new ingress resources is created to pass traffic through a reverse proxy, cert-manager responds by requesting a new certificate and validates it with the CA, then applies the certificate to secure your traffic. So in a sense, you can set this up one time, and then have all your web servers protected with an SSL cert just by adding a couple of lines to your ingress resources.

Let’s see it in action in my AWS cluster using the LetsEncrypt. We’ll deploy cert-manager and issue a staging cert which is a temporary cert to make sure things are working properly, and then later a production certificate which is fully trusted by most browsers.

Prerequisites

Before we deploy cert-manager, let’s get some basics setup and configured. We’ll need an ingress resource that is available on the Internet so that LetsEncrypt can issue the http-01 or dns-01 challenges to validate the domain names. We’ll also need an ingress controller and obviously a Kubernetes cluster with some capacity in it for our resources.

Here is a snapshot of the lab I’ll be working with:

Install Cert-Manager

The installation of cert-manager is pretty simple. We need to apply a couple of manifests.

First we’ll create a new namespace where the cert-manager resources will live.

Next up, its time to deploy cert-manager.

I don’t want to minimize the work we’ve done here, but the deployment is pretty much done. You can see if everything looks ok by running:

There should be a list of pods and services similar the the example below.

Configure Cert-Manager

Now we need to configure cert-manager to issue new certificates. We do this by deploying issuers. There are two type of issuers: Issuers and ClusterIssuers. Just like with Roles and ClusterRoles, the difference is the scope in which they work. Since I want to be able to share this service across namespaces, I’ll be deploying cluster issuers. The ClusterIssuer used in my cluster is shown below. You may notice that there are two different issuers being deployed. We’ll use staging first which has a more lenient rate limit, and production when we’ve got it working.

Deploy the manifest with the apply command:

kubectl apply -f [manifest file].yaml

Once deployed, you should be able to query them through kubectl.

If you want to go one level deeper, run a kubectl describe on the ClusterIssuers. You should see that the account was registered correctly.

Deploy Staging App

In this part of the post, I’m deploying a custom app of mine that has a backend database and things that aren’t shown here. However, the app pieces are shown below and your own app should work with the cert-manager additions.

In this phase we’ll first deploy our web app and make sure we can get a certificate installed, even if it isn’t a trusted cert.

Here is the app manifest I’m deploying, complete with the ingress rules needed for cert-manager.

The main pieces of the above manifest are:

cert-manager.io/cluster-issuer: “letsencrypt-staging” – specify the ClusterIssuer

kubernetes.io/ingress.class: contour – change based on your ingress controller in use.

host: hollowapp.theithollowlab.com – change to your own DNS name.

secretName: hollowapp-tls-stage – a secret name meaningful to you. This is where your app will store the certificate returned by cert-manager.

Apply your app manifest and wait a moment or two before checking the https://URL. It does take a little time for LetsEncrypt to validate the VM and provide the appropriate certificate information. You can see that my https site came up, although the certificate is not valid, as seen by the “Not Secure” moniker.

Now that our test certificate worked, let’s change the issuer requested in our ingress manifest to use the production ClusterIssuer instead of staging. Re-apply that manifest and again wait a moment before the certificates are applied. Here we can see that a fully trusted certificate was automatically applied to my app.

Summary

Jetstack cert-manager is a pretty simple solution to install in your Kubernetes cluster that will automatically add new certificates for your ingress resources. The ingress resource gets applied with the proper specifications and cert-manager does the rest, to give you a fully trusted certificate. What exactly will you do with all the time you got back from not having to do certificate requests over and over again?