...
Simply Edit one of your ingress rules to add a single line - you'll need to point the certmanager.k8s.io/cluster-issuer
annotation at the name of your ClusterIssuer
.
For example, with kubectl edit -n cis-dev ing cis-girder
I would add the following annotation:
Code Block |
---|
language | yml |
---|
title | cis-dev.ingress.yaml |
---|
linenumbers | truebash |
---|
|
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-staging <---- Add this line
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: cis-girder
namespace: cis-dev
spec:
rules:
- host: dev.cis.ndslabs.org
http:
paths:
- backend:
serviceName: cis-girder
servicePort: 80
path: /
- backend:
serviceName: cis-girder
servicePort: 8080
path: /girder
- backend:
serviceName: cis-girder
servicePort: 8080
path: /static
- backend:
serviceName: cis-girder
servicePort: 8080
path: /api
tls:
- hosts:
- dev.cis.ndslabs.org
secretName: cis-tls-secret |
...
Code Block |
---|
language | yml |
---|
title | dev.cis.ndslabs.org-certificate.yaml |
---|
linenumbers | true |
---|
|
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cis-tls-secretcert
spec:
secretName: cis-tls-secret
dnsNames:
- dev.cis.ndslabs.org
acme:
config:
- http01:
ingressClass: nginx
domains:
- dev.cis.ndslabs.org
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer |
Then pass this file to kubectl create
:
Code Block |
---|
language | yml | title | certificate.yamlbash |
---|
|
$ kubectl create -f dev.cis.ndslabs.org-certificate.yaml |
...
That's it! If everything worked correctly, you should see some successful log messages in the cert-manager logs:
Code Block |
---|
language | yml |
---|
title | certificate.yaml |
---|
bash |
|
$ kubectl logs -f -n kube-system deploy/cert-manager
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
I0726 19:29:40.287760 1 controller.go:152] ingress-shim controller: syncing item 'cis-dev/cis-girder'
I0726 19:29:40.287796 1 sync.go:124] Certificate "cis-tls-secret" for ingress "cis-girder" already exists
I0726 19:29:40.287857 1 sync.go:127] Certificate "cis-tls-secret" for ingress "cis-girder" is up to date
I0726 19:29:40.287914 1 controller.go:166] ingress-shim controller: Finished processing work item "cis-dev/cis-girder"
I0726 19:29:44.287733 1 controller.go:177] certificates controller: syncing item 'cis-dev/cis-tls-secret'
I0726 19:29:44.287981 1 sync.go:259] Preparing certificate cis-dev/cis-tls-secret with issuer
I0726 19:29:44.288047 1 acme.go:162] getting private key (letsencrypt-staging->tls.key) for acme issuer kube-system/letsencrypt-staging
I0726 19:29:44.288886 1 prepare.go:247] Cleaning up previous order for certificate cis-dev/cis-tls-secret
I0726 19:29:44.288918 1 prepare.go:263] Cleaning up old/expired challenges for Certificate cis-dev/cis-tls-secret
I0726 19:29:44.288981 1 logger.go:22] Calling CreateOrder
I0726 19:29:44.862177 1 acme.go:196] Created order for domains: [{dns dev.cis.ndslabs.org}]
I0726 19:29:44.862261 1 logger.go:52] Calling GetAuthorization
I0726 19:29:44.959729 1 prepare.go:263] Cleaning up old/expired challenges for Certificate cis-dev/cis-tls-secret
I0726 19:29:44.959768 1 helpers.go:188] Found status change for Certificate "cis-tls-secret" condition "ValidateFailed": "False" -> "False"; setting lastTransitionTime to 2018-07-26 19:29:44.959762093 +0000 UTC m=+273629.459083531
I0726 19:29:44.959795 1 sync.go:266] Issuing certificate...
I0726 19:29:44.959830 1 acme.go:162] getting private key (letsencrypt-staging->tls.key) for acme issuer kube-system/letsencrypt-staging
I0726 19:29:44.960303 1 logger.go:27] Calling GetOrder
I0726 19:29:45.258232 1 logger.go:37] Calling FinalizeOrder
I0726 19:29:46.062504 1 issue.go:104] successfully obtained certificate: cn="dev.cis.ndslabs.org" altNames=[dev.cis.ndslabs.org] url="https://acme-staging-v02.api.letsencrypt.org/acme/order/6536636/4852241"
I0726 19:29:46.079900 1 sync.go:285] Certificate issued successfully
I0726 19:29:46.079951 1 helpers.go:188] Found status change for Certificate "cis-tls-secret" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2018-07-26 19:29:46.079945046 +0000 UTC m=+273630.579266468
I0726 19:29:46.080259 1 sync.go:191] Certificate cis-dev/cis-tls-secret scheduled for renewal in 1438 hours
I0726 19:29:46.091762 1 controller.go:191] certificates controller: Finished processing work item "cis-dev/cis-tls-secret" |
You should also see that a new secret has been created for your certificate:
Code Block |
---|
language | yml | title | certificate.yamlbash |
---|
|
$ kubectl get certificate,secret -n cis-dev
NAME AGE
certificate.certmanager.k8s.io/cis-tls-secret 5m
NAME TYPE DATA AGE
secret/cis-tls-secret kubernetes.io/tls 2 2m
secret/default-token-p2sxz kubernetes.io/service-account-token 3 5d |
...