Cert Manager

Prerequisites

This guide assumes you have the following prerequisites in place:

Cert Manager

Cert Manager is a Kubernetes add-on that automates the management and issuance of TLS certificates from various issuing sources. It ensures that your applications can securely communicate over HTTPS by automatically renewing certificates before they expire.

Installation

  1. Create the following directory structure for Cert Manager:

     cert-manager/
     ├── cert-manager/
     │   ├── helmrelease.yml
     │   ├── helmrepository.yml
     │   ├── clusterissuer.yml
     │   └── cloudflare-token.yml
     └── namespace.yml
  2. Add the following content to cert-manager/namespace.yml:

    ---
     kind: Namespace
     apiVersion: v1
     metadata:
       name: cert-manager
       labels:
         name: cert-manager
  3. Add the following content to cert-manager/helmrepository.yml:

    ---
    apiVersion: source.toolkit.fluxcd.io/v1
    kind: HelmRepository
    metadata:
      name: jetstack
      namespace: flux-system
    spec:
      interval: 6h
      url: https://charts.jetstack.io
  4. Add the following content to cert-manager/helmrelease.yml:

    ---
    apiVersion: helm.toolkit.fluxcd.io/v2
    kind: HelmRelease
    metadata:
      name: cert-manager
      namespace: cert-manager
    spec:
      interval: 6h
      chart:
        spec:
          chart: cert-manager
          version: "v1.19.4"
          sourceRef:
            kind: HelmRepository
            name: jetstack
            namespace: flux-system
          interval: 6h
      install:
        remediation:
          retries: 3
      upgrade:
        remediation:
          retries: 3
      values:
        crds:
          enabled: true
          keep: true
  5. Add the following content to cert-manager/clusterissuer.yml:

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: letsencrypt-cloudflare
    spec:
      acme:
        email: email@example.com
        server: https://acme-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
          name: letsencrypt-cloudflare
        solvers:
        - dns01:
            cloudflare:
              apiTokenSecretRef:
                name: cloudflare-api-token
                key: api-token
  6. Add the following content to cert-manager/cloudflare-token-tmp.yml:

    apiVersion: v1
    kind: Secret
    metadata:
      name: cloudflare-api-token
      namespace: cert-manager
    type: Opaque
    data:
      api-token: <base64-encoded-cloudflare-api-token>
  7. Encrypt the cloudflare-token-tmp.yml file using Sealed-Secrets and save it as cloudflare-token.yml:

    kubeseal --format=yaml < cloudflare-token-tmp.yml > cloudflare-token.yml && \
    rm cloudflare-token-tmp.yml
  8. Commit and push the changes to your Git repo.