cert-manager: Install cert-manager
*cert-manager* manages certificates. More specifically, it is an ACME client, which generates certificate-signing requests, submits them to a certificate authority, and stores the signed certificate in Kubernetes secrets. The certificates it manages are defined by Kubernetes Custom Resources, either defined manually or automatically for Ingress resources with particular annotations. The *cert-manager* deployment consists primarily of two services: *cert-manager* itself, which monitors Kubernetes resources and manages certificate requests, and the *cert-manager-webhook*, which validates Kubernetes resources for *cert-manager*. There is also a third component, *cainjector*, we do not need it. The primary configuration for *cert-manager* is done through Issuer and ClusterIssuer resources. These define how certificates are issued: the certificate authority to use and how to handle ACME challenges. For our purposes, we will be using ZeroSSL to issue certificates, verified via the DNS.01 challenge through BIND running on the gateway firewall.
This commit is contained in:
2
cert-manager/.gitignore
vendored
Normal file
2
cert-manager/.gitignore
vendored
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
cert-manager.key
|
||||||
|
zerossl.secret
|
||||||
5529
cert-manager/cert-manager.yaml
Normal file
5529
cert-manager/cert-manager.yaml
Normal file
File diff suppressed because it is too large
Load Diff
26
cert-manager/cluster-issuer.yaml
Normal file
26
cert-manager/cluster-issuer.yaml
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: zerossl
|
||||||
|
spec:
|
||||||
|
acme:
|
||||||
|
server: https://acme.zerossl.com/v2/DV90
|
||||||
|
email: zerossl@dustinhatch.me
|
||||||
|
externalAccountBinding:
|
||||||
|
keyID: f06nxtk433oeVdcaDLp9Iw
|
||||||
|
keySecretRef:
|
||||||
|
name: zerossl-eab
|
||||||
|
key: secret
|
||||||
|
privateKeySecretRef:
|
||||||
|
name: zerossl-prod
|
||||||
|
|
||||||
|
solvers:
|
||||||
|
- dns01:
|
||||||
|
cnameStrategy: Follow
|
||||||
|
rfc2136:
|
||||||
|
nameserver: 172.30.0.1
|
||||||
|
tsigKeyName: cert-manager
|
||||||
|
tsigAlgorithm: HMACSHA512
|
||||||
|
tsigSecretSecretRef:
|
||||||
|
name: cert-manager-tsig
|
||||||
|
key: cert-manager.key
|
||||||
21
cert-manager/kustomization.yaml
Normal file
21
cert-manager/kustomization.yaml
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cert-manager.yaml
|
||||||
|
- cluster-issuer.yaml
|
||||||
|
|
||||||
|
secretGenerator:
|
||||||
|
- name: cert-manager-tsig
|
||||||
|
namespace: cert-manager
|
||||||
|
files:
|
||||||
|
- cert-manager.key
|
||||||
|
options:
|
||||||
|
disableNameSuffixHash: true
|
||||||
|
|
||||||
|
- name: zerossl-eab
|
||||||
|
namespace: cert-manager
|
||||||
|
envs:
|
||||||
|
- zerossl.secret
|
||||||
|
options:
|
||||||
|
disableNameSuffixHash: true
|
||||||
Reference in New Issue
Block a user