Installing Cert-Manager using Jetstack on Kubernetes Cluster

Introduction

Pada tutorial ini kita akan melakukan konfigurasi Cert-Manager Let’s Encrypt menggunakan Cert-manager. Cert-manager akan memudahkan kita untuk menggunakan certificate Let’s Encrypt. Pada tutorial ini kita hanya fokus untuk generate certificate Let’s Encrypt.

Reqruitment

Kubernetes Cluster
Helm
Ingress Controller (I’m using traefik)
Subdomain pointing to Traefik LB (I’m using stagging.cygnenoir.net)
Pod Nginx running (For testing cert using domain)

Installation

Install Using helm

Menambahkan repo helm jetstack

helm repo add jetstack https://charts.jetstack.io

helm repo add jetstack https://charts.jetstack.io

Check versi helm chart

helm search repo jetstack

helm search repo jetstack

Kita akan menggunakan cert-manager versi 1.19.0

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.19.0 \
  --set crds.enabled=true

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.19.0 \
  --set crds.enabled=true

Issuer ACME using stagging

Disini kita akan menggunakan issuer acme dan melakukan 2 tahap yaitu stagging dan production. Stagging berfungsi untuk mengetest instalasi cert terlebih dahulu karena untuk production itu ada rate limit request cert yang dimana untuk menghindari limit request cert. Jika sudah berhasil staggingnya, maka kita akan melakukan installasi production.

Kita akan menggunkana ClusterIssuer agar bisa digunakan pada seluruh namespace, jika ingin melakukan di spesifik namespace, bisa menggunakan Issuer.

Membuat file cluster-issuer-stagging.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-stagging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: zainun@cygnenoir.net
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          ingressClassName: traefik

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-stagging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: zainun@cygnenoir.net
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          ingressClassName: traefik

Setelah itu apply file tersebut

kubectl apply -f cluster-issuer-stagging.yaml

kubectl apply -f cluster-issuer-stagging.yaml

Sekarang kita membuat file cert-stagging.yaml untuk melakukan testing cert pada domain yang sudah disiapkan.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: stagging-cygnenoir-tls-stagging
  namespace: monitoring
spec:
  commonName: stagging.cygnenoir.net
  secretName: stagging-cygnenoir-tls-stagging
  dnsNames:
    - stagging.cygnenoir.net
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-stagging

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: stagging-cygnenoir-tls-stagging
  namespace: monitoring
spec:
  commonName: stagging.cygnenoir.net
  secretName: stagging-cygnenoir-tls-stagging
  dnsNames:
    - stagging.cygnenoir.net
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-stagging

Apply file tersebut kemudian kita cek status apakah sudah ready

kubectl apply -f cert-stagging.yaml
kubectl get cert -n monitoring stagging-cygnenoir-tls-stagging -o yaml

kubectl apply -f cert-stagging.yaml
kubectl get cert -n monitoring stagging-cygnenoir-tls-stagging -o yaml

Sekarang kita melakukan testing ingressroute menggunakan cert yang sudah dibuat dan apply file tersebut

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test-ingress
  namespace: monitoring
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`stagging.cygnenoir.net`)
    kind: Rule
    services:
    - name: nginx-service
      port: 80
  tls:
    secretName: stagging-cygnenoir-tls-stagging

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test-ingress
  namespace: monitoring
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`stagging.cygnenoir.net`)
    kind: Rule
    services:
    - name: nginx-service
      port: 80
  tls:
    secretName: stagging-cygnenoir-tls-stagging

Sekarang akses domain tersebut

Stagging sudah bisa digunakan, artinya kita sudah bisa deploy untuk production

Issuer ACME using Production

Buat file cluster-issuer-production.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: zainun@cygnenoir.net
    privateKeySecretRef:
      name: letsencrypt-prod-issuer-account-key
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          ingressClassName: traefik

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: zainun@cygnenoir.net
    privateKeySecretRef:
      name: letsencrypt-prod-issuer-account-key
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          ingressClassName: traefik

apply file tersebut

kubectl apply -f cluster-issuer-production.yaml

kubectl apply -f cluster-issuer-production.yaml

Sekarang kita membuat file cert-production.yaml untuk generate certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: stagging-cygnenoir-tls-production
  namespace: monitoring
spec:
  commonName: stagging.cygnenoir.net
  secretName: stagging-cygnenoir-tls-production
  dnsNames:
    - stagging.cygnenoir.net
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-production

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: stagging-cygnenoir-tls-production
  namespace: monitoring
spec:
  commonName: stagging.cygnenoir.net
  secretName: stagging-cygnenoir-tls-production
  dnsNames:
    - stagging.cygnenoir.net
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-production

Kemudian apply file tersebut dan check cert tersebut

kubectl apply -f cert-production.yaml
kubectl get cert -n monitoring stagging-cygnenoir-tls-production -o yaml

kubectl apply -f cert-production.yaml
kubectl get cert -n monitoring stagging-cygnenoir-tls-production -o yaml

Sekarang kita melakukan testing ingressroute menggunakan cert yang sudah dibuat dan apply file tersebut

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test-ingress
  namespace: monitoring
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`stagging.cygnenoir.net`)
    kind: Rule
    services:
    - name: nginx-service
      port: 80
  tls:
    secretName: stagging-cygnenoir-tls-production

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test-ingress
  namespace: monitoring
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`stagging.cygnenoir.net`)
    kind: Rule
    services:
    - name: nginx-service
      port: 80
  tls:
    secretName: stagging-cygnenoir-tls-production

Check domain pada browser

Untuk certificate letsencrypt sudah bisa digunakan

Post Views: 13