K
Q

Is the annotation cert-manager.io/cluster-issuer: acme-issuer enough to generate a TLS certificate?

1/14/2020

From the cert-manager doc: adding the annotation cert-manager.io/cluster-issuer: acme-issuer to an Ingress object should trigger the shim, request a certificate to this issuer, and store the certificate (without any namespace ?) (with which name?).

I tried this and it does nothing. Adding a tls: section to the yaml definition of the Ingress does trigger the shim, request a certificate and store it in the same namespace as the Ingress.

This means the doc is incorrect, or should it really work without a tls: section ?

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: acme-issuer
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
    - http01:
        ingress:
          class: nginx
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: acme-issuer
    kubernetes.io/ingress.class: nginx
  name: my-ingress-name
  namespace: mynamespace
spec:
  rules:
  - host: some.domain.eu
    http:
      paths:
      - backend:
          serviceName: my-service-name
          servicePort: 5000
        path: /
  tls:
  - hosts:
    - some.domain.eu
    secretName: secret-storage-key-for-tls-cert
-- Softlion
cert-manager
kubernetes

Similar Questions

GKE Workload Identity service account for all namespaces
Install helm 2.13.0 on Minikube server (1.6.2) could not find tiller
How to pass environment variables in angular application with docker
Helm: Get value from a Map where the key is variable

2 Answers

1/16/2020

I'm using like you, and that create my TLS ok. But the name of privateKeySecretRef is igual ClusterIssuer name. The tls section is needed on ingress.

Using:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: my@email.com
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            class: nginx

Chek the certificate status to debug:

kubectl get certificate -o wide

If the status CertificateRequest

kubectl get CertificateRequest -o wide
-- Newton José
Source: StackOverflow
1/14/2020

If you created the issuer correctly, then you need to create a Certificate, so the issuer can issue the certificate using the information you have in the Certificate resource, and populate the secret:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: certname
spec:
  secretName: secretName
  issuerRef:
    name: letsencrypt-prod
  commonName: <the CN>
  dnsNames:
  - <name>

Once you have this resource, it should create a secret containing the TLS certificates, and store it in secretName.

-- Burak Serdar
Source: StackOverflow