Versions Compared

Old Version 3

changes.mady.by.user Sara Lambert

Saved on

compared with

New Version 4

changes.mady.by.user Sara Lambert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Simply Edit one of your ingress rules to add a single line - you'll need to point the certmanager.k8s.io/cluster-issuer annotation at the name of your ClusterIssuer.

For example, with kubectl edit -n cis-dev ing cis-girder I would add the following annotation:

Code Block
languageyml
titlecis-dev.ingress.yaml
linenumberstruebash
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    certmanager.k8s.io/cluster-issuer: letsencrypt-staging    <---- Add this line
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  name: cis-girder
  namespace: cis-dev
spec:
  rules:
  - host: dev.cis.ndslabs.org
    http:
      paths:
      - backend:
          serviceName: cis-girder
          servicePort: 80
        path: /
      - backend:
          serviceName: cis-girder
          servicePort: 8080
        path: /girder
      - backend:
          serviceName: cis-girder
          servicePort: 8080
        path: /static
      - backend:
          serviceName: cis-girder
          servicePort: 8080
        path: /api
  tls:
  - hosts:
    - dev.cis.ndslabs.org
    secretName: cis-tls-secret

...

Code Block
languageyml
titledev.cis.ndslabs.org-certificate.yaml
linenumberstrue
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cis-tls-secretcert
spec:
  secretName: cis-tls-secret
  dnsNames:
  - dev.cis.ndslabs.org
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - dev.cis.ndslabs.org
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Then pass this file to kubectl create:

Code Block
languageymltitlecertificate.yamlbash
$ kubectl create -f dev.cis.ndslabs.org-certificate.yaml

...

That's it! If everything worked correctly, you should see some successful log messages in the cert-manager logs:

Code Block
languageyml
titlecertificate.yaml
bash
$ kubectl logs -f -n kube-system deploy/cert-manager
   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   ...   
I0726 19:29:40.287760       1 controller.go:152] ingress-shim controller: syncing item 'cis-dev/cis-girder'
I0726 19:29:40.287796       1 sync.go:124] Certificate "cis-tls-secret" for ingress "cis-girder" already exists
I0726 19:29:40.287857       1 sync.go:127] Certificate "cis-tls-secret" for ingress "cis-girder" is up to date
I0726 19:29:40.287914       1 controller.go:166] ingress-shim controller: Finished processing work item "cis-dev/cis-girder"
I0726 19:29:44.287733       1 controller.go:177] certificates controller: syncing item 'cis-dev/cis-tls-secret'
I0726 19:29:44.287981       1 sync.go:259] Preparing certificate cis-dev/cis-tls-secret with issuer
I0726 19:29:44.288047       1 acme.go:162] getting private key (letsencrypt-staging->tls.key) for acme issuer kube-system/letsencrypt-staging
I0726 19:29:44.288886       1 prepare.go:247] Cleaning up previous order for certificate cis-dev/cis-tls-secret
I0726 19:29:44.288918       1 prepare.go:263] Cleaning up old/expired challenges for Certificate cis-dev/cis-tls-secret
I0726 19:29:44.288981       1 logger.go:22] Calling CreateOrder
I0726 19:29:44.862177       1 acme.go:196] Created order for domains: [{dns dev.cis.ndslabs.org}]
I0726 19:29:44.862261       1 logger.go:52] Calling GetAuthorization
I0726 19:29:44.959729       1 prepare.go:263] Cleaning up old/expired challenges for Certificate cis-dev/cis-tls-secret
I0726 19:29:44.959768       1 helpers.go:188] Found status change for Certificate "cis-tls-secret" condition "ValidateFailed": "False" -> "False"; setting lastTransitionTime to 2018-07-26 19:29:44.959762093 +0000 UTC m=+273629.459083531
I0726 19:29:44.959795       1 sync.go:266] Issuing certificate...
I0726 19:29:44.959830       1 acme.go:162] getting private key (letsencrypt-staging->tls.key) for acme issuer kube-system/letsencrypt-staging
I0726 19:29:44.960303       1 logger.go:27] Calling GetOrder
I0726 19:29:45.258232       1 logger.go:37] Calling FinalizeOrder
I0726 19:29:46.062504       1 issue.go:104] successfully obtained certificate: cn="dev.cis.ndslabs.org" altNames=[dev.cis.ndslabs.org] url="https://acme-staging-v02.api.letsencrypt.org/acme/order/6536636/4852241"
I0726 19:29:46.079900       1 sync.go:285] Certificate issued successfully
I0726 19:29:46.079951       1 helpers.go:188] Found status change for Certificate "cis-tls-secret" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2018-07-26 19:29:46.079945046 +0000 UTC m=+273630.579266468
I0726 19:29:46.080259       1 sync.go:191] Certificate cis-dev/cis-tls-secret scheduled for renewal in 1438 hours
I0726 19:29:46.091762       1 controller.go:191] certificates controller: Finished processing work item "cis-dev/cis-tls-secret"

You should also see that a new secret has been created for your certificate:

Code Block
languageymltitlecertificate.yamlbash
$ kubectl get certificate,secret -n cis-dev
NAME                                            AGE
certificate.certmanager.k8s.io/cis-tls-secret   5m

NAME                         TYPE                                  DATA      AGE
secret/cis-tls-secret        kubernetes.io/tls                     2         2m
secret/default-token-p2sxz   kubernetes.io/service-account-token   3         5d

...