Cert-manager git repo, it is recommended to read through the document.
Install
Using helm chart to deploy cert-manager in K8s cluster in cert-manager
namespace(customizing chart if needed), verifying deployment is good, see here
Highlight Concepts
Issuers and ClusterIssuers: https://cert-manager.io/docs/concepts/issuer/
Issuers configuration, especially ACME protocol as we use tarsier CA: https://cert-manager.io/docs/configuration/
Certficiate resources: https://cert-manager.io/docs/usage/certificate/
Usage Case
We use Google tarsier CA and cert-manager to manage, renew certificate for ingresses, see secure ingress resources. Although it cannot directly work on Anthos MCI(multi-cluster ingress) but the workaround is simple by manually creating certificate
to associate with target tls secret.
After deployment of cert-manager is done and run correctly, add cert-manager supported annotations
to target ingress, for example:
1 | kind: Ingress |
Then cert-manager will automatically create certificate
resource and start to issue certificate. Note that you can manually create this resource for some scenarios: tls secret is used by multiple ingresses(no need to add annotations to each ingress) or Anthos MCI(does not support cert-manager):
1 | apiVersion: cert-manager.io/v1 |
The spec.dnsNames
is Subject Alternative Name(SAN) that can have multiples, Common Name(CN) is derived from the first item. Note CN is discouraged from being used and deprecated, see here
So, this actually is a SAN certificate, not CN(common name) certificate(as mentioned here CN field is deprecated).
Describing it you can examine the Dns names, condition and validation of the new certificate:
1 | Spec: |
The certificate and key are stored in K8s secret resource, once certificate issuing is done, cert-manager will manage this secret by adding specific annotations, for example:
1 | kind: Secret |
If no secret exists then the cert-manager will create the secret for you. Note that the old secret will be overridden every time new certificate is issued.
Also note that deletion of certificate will not delete associated secret.
To decode the certificate content, using base64
and openssl
, usually there are multiple-level certificates placed, from bottom to top(root CA, intermediate CA to certificate), select one to decode:
1 | echo <secret encode block> | base64 -d |
Or decoding online: https://www.sslshopper.com/certificate-decoder.html
In reverse, to encode certificate and used in secret:
1 | # -w 0: git rid of new line, there may be a % chart at end, drop it. |