This article shows how to create a certificate and pair it with Apache Ingress Controller via the Cert Manager.
Apache Ingress Controller is a Kubernetes Ingress Controller Open Source Tool that uses Apache as a data surface and has been updated to v1.3 with features such as certificate management, load balancing, Canary Publishing, and more.
For a long time, certificate management is not a simple thing although Apache Ingress Controller supports extracting certificates and private keys from Kubernetes Secrets Resources and converting them into Apache recognizable SSL objects, but this is only a part of the whole certificate management chain, certificate issuance, rotation, revocation logic still need to be implemented by administrators, especially when the number of certificates is relatively large, the workload is often not small, so it takes up a lot of the administrator’s time.
Cert Manager is a piece of software dedicated to simplifying certificate management on the Kubernetes platform and supports docking many different certificate sources, such as Let’s Encrypt and HashiCorp Vault.
If you’re having trouble with certificate management when using Apache Ingress Controller, using the Cert Manager is a good option, and this article shows how to create a certificate and pair it with Apache Ingress Controller via the Cert Manager.
Step 1: Environmental Preparation
If you want to follow the instructions in this article, make sure the following environments and tools are in place:
- To prepare a usable Kubernetes cluster, in the development environment, you can use Kind and Minikube
- Install kubectl
- Install Helm v3
Note that all of the following operations will be performed in the ingress- namespace, so you need to create the namespace first:
kubectl create namespace ingress-
Step 2:Install Apache Ingress Controller
You can install Apache Ingress Controller via Helm, including Apache and etcd clusters for data planes.
Click to view the installation details.
Step 3:Install Cert Manager
To Install Cert Manager from Helm, click to view the installation details.
helm install cert-manager jetstack/cert-manager --namespace ingress- --set prometheus.enabled=false --set installCRDs=truePlease wait for a moment after installation to check the running status of the components and make sure that all the components are working properly. You can do this by following the command.
kubectl get all -n ingress-The result is as follows, indicating that all components are working properly.
NAME READY STATUS RESTARTS AGEpod/-5d99956d88-j68sj 1/1 Running 0 63spod/-69459554d4-btnwn 0/1 Terminating 0 57mpod/-etcd-0 1/1 Running 0 57mpod/-etcd-1 1/1 Running 0 57mpod/-etcd-2 0/1 Running 0 50spod/-ingress-controller-7b5c767cc7-j62hb 1/1 Running 0 55mpod/cert-manager-5ffd4f6c89-q9f7m 1/1 Running 0 45mpod/cert-manager-cainjector-748dc889c5-nrvkh 1/1 Running 0 45mpod/cert-manager-startupapicheck-kmgxf 0/1 Completed 0 45mpod/cert-manager-webhook-bc964d98b-mkjj7 1/1 Running 0 45mNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/-admin ClusterIP 10.96.16.25 <none> 9180/TCP 57mservice/-etcd ClusterIP 10.96.232.251 <none> 2379/TCP,2380/TCP 57mservice/-etcd-headless ClusterIP None <none> 2379/TCP,2380/TCP 57mservice/-gateway NodePort 10.96.118.75 <none> 80:32039/TCP,443:30107/TCP 57mservice/-ingress-controller ClusterIP 10.96.13.76 <none> 80/TCP 57mservice/cert-manager-webhook ClusterIP 10.96.182.188 <none> 443/TCP 45mNAME READY UP-TO-DATE AVAILABLE AGEdeployment.apps/ 1/1 1 1 57mdeployment.apps/-ingress-controller 1/1 1 1 57mdeployment.apps/cert-manager 1/1 1 1 45mdeployment.apps/cert-manager-cainjector 1/1 1 1 45mdeployment.apps/cert-manager-webhook 1/1 1 1 45mNAME DESIRED CURRENT READY AGEreplicaset.apps/-5d99956d88 1 1 1 63sreplicaset.apps/-69459554d4 0 0 0 57mreplicaset.apps/-ingress-controller-74c6b5fbdd 0 0 0 57mreplicaset.apps/-ingress-controller-7b5c767cc7 1 1 1 55mreplicaset.apps/-ingress-controller-7d58db957c 0 0 0 55mreplicaset.apps/cert-manager-5ffd4f6c89 1 1 1 45mreplicaset.apps/cert-manager-cainjector-748dc889c5 1 1 1 45mreplicaset.apps/cert-manager-webhook-bc964d98b 1 1 1 45mNAME READY AGEstatefulset.apps/-etcd 2/3 57mNAME COMPLETIONS DURATION AGEjob.batch/cert-manager-startupapicheck 1/1 6m24s 45mThe mechanism of the Kubernetes Controller Manager determines that the Pod name will be different.
Step 4: Apply for a Certificate and Test it
First we need to configure the credential issuing object.
# issuer.yamlapiVersion: cert-manager.io/v1kind: Issuermetadata: name: issuer namespace: ingress-spec: selfSigned: {}And create a self-signed certificate issuer.
kubectl apply -f issuer.yamlNote that self-signed authoring objects are not recommended for use in production environments! See here for more on the configuration of the certificate authority object.
。Then create a certificate for the domain name httpbin. org.
# httpbin-cert.yamlapiVersion: cert-manager.io/v1kind: Certificatemetadata: name: httpbin namespace: ingress-spec: secretName: httpbin duration: 2160h # 90d renewBefore: 360h # 15d subject: organizations: - foo commonName: httpbin.org isCA: false privateKey: algorithm: RSA encoding: PKCS1 <span class="token key atrule" styl