Skip to content

Use Cert-Manager

What Will You Do

In this exercise,

  • You will create and publish a workload to a cluster that has a custom blueprint with the Rafay managed Ingress Controller and a cert-manager addon.
  • The workload will leverage the cert-manager addon for certificate operations with Let's Encrypt.

Assumptions

  • You have already provisioned or imported a Kubernetes cluster using Rafay.
  • You have successfully published a cert-manager addon based cluster blueprint to your cluster.
  • You own a domain which we will use for certificate issuance.

For this example, we will use a simple container image called "http-echo". This is a in-memory web server that echoes back arguments provided to it.


Step 1: Configure DNS

Ensure that you configure DNS for your workload's ingress domain with your DNS provider. In our example, the workload will be accessible to users at "https://echo.infra.gorafay.net". We can verify that DNS is configured properly by using the "dig" utility.

dig echo.infra.gorafay.net

; <<>> DiG 9.10.6 <<>> echo.infra.gorafay.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54549
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;echo.infra.gorafay.net.        IN  A

;; ANSWER SECTION:
echo.infra.gorafay.net. 300 IN  A   52.250.10.71
echo.infra.gorafay.net. 300 IN  A   52.250.15.222

;; Query time: 55 msec
;; SERVER: 2001:558:feed::1#53(2001:558:feed::1)
;; WHEN: Tue Aug 11 19:43:56 PDT 2020
;; MSG SIZE  rcvd: 83

Step 2: Configure k8s Ingress

To leverage cert-manager, we will add an annotation for cert-manager to the Ingress object. In the example below, the Cluster Issuer points to what we created in the cluster blueprint.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: echo-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-http"
spec:
  tls:
  - hosts:
    - echo.infra.gorafay.net
    secretName: echo-tls
  rules:
  - host: echo.infra.gorafay.net
    http:
      paths:
      - backend:
          serviceName: echo
          servicePort: 80

Step 3: Create Workload

  • Copy the yaml below, update the Ingress object from the previous step
  • Create a workload (type: k8s yaml), select a cluster and publish it

Create Workload

apiVersion: v1
kind: Service
metadata:
  name: echo
spec:
  ports:
  - port: 80
    targetPort: 5678
  selector:
    app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo
spec:
  selector:
    matchLabels:
      app: echo
  replicas: 1
  template:
    metadata:
      labels:
        app: echo
    spec:
      containers:
      - name: echo
        image: hashicorp/http-echo
        args:
        - "-text=This is a Let's Encrypt Test. Check the Certificate Details !!!"
        ports:
        - containerPort: 5678
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: echo-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-http"
spec:
  tls:
  - hosts:
    - echo.infra.gorafay.net
    secretName: echo-tls
  rules:
  - host: echo.infra.gorafay.net
    http:
      paths:
      - backend:
          serviceName: echo
          servicePort: 80

Once the workload is published, you should see something like the illustrative screenshot below

Published Workload


Step 4: Verification

  • Click on Debug and the KubeCTL button
  • First, let's verify that the required resources are deployed and healthy
kubectl get all

NAME                        READY   STATUS    RESTARTS   AGE
pod/echo-6b756c6c88-kjcjg   1/1     Running   0          53m

NAME           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/echo   ClusterIP   10.107.170.113   <none>        80/TCP    53m

NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/echo   1/1     1            1           53m

NAME                              DESIRED   CURRENT   READY   AGE
replicaset.apps/echo-6b756c6c88   1         1         1       53m

Now, let's verify whether Ingress was configured properly.

kubectl get ingress

NAME           HOSTS                    ADDRESS          PORTS     AGE
echo-ingress   echo.infra.gorafay.net   10.101.109.148   80, 443   54m

Now, let's verify the Let's Encrypt certificate that was issued using the cert-manager addon.

kubectl get certificate

NAME       READY   SECRET     AGE
echo-tls   True    echo-tls   16h

Now, let us describe the certificate that was issued from Let's Encrypt.

kubectl describe certificate echo-tls

Name:         echo-tls
Namespace:    demo
Labels:       rep-organization=qkonnmn
              rep-partner=rx28oml
              rep-project=pkvzp2n
              rep-workload=echo
Annotations:  <none>
API Version:  cert-manager.io/v1alpha2
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-08-12T02:06:30Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  echo-ingress
    UID:                   6ffcf6cc-dc40-11ea-b8aa-000d3a6edb68
  Resource Version:        26827123
  Self Link:               /apis/cert-manager.io/v1alpha2/namespaces/demo/certificates/echo-tls
  UID:                     6ffed683-dc40-11ea-b8aa-000d3a6edb68
Spec:
  Dns Names:
    echo.infra.gorafay.net
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       letsencrypt-http
  Secret Name:  echo-tls
Status:
  Conditions:
    Last Transition Time:  2020-08-12T02:06:30Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2020-11-10T00:35:56Z
Events:                    <none>

Now, open a web browser and access the domain where your workload is deployed. You should see that the page is accessible over "https" and is secured with a TLS Certificate issued by Let's Encrypt.

Let's Encrypt Certificate


Recap

Congratulations! You deployed a workload to a Kubernetes cluster leveraging cert-manager that was deployed as part of a cluster blueprint.