cert-manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources.
It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.
It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects e.g. kube-cert-manager.
This project is still heavily under development and is not ready for use yet. However, if you want to experiment, please do try running the current development build and reporting any issues you run into.
NOTE: currently we provide no guarantees on our API stability. This means there may be breaking changes that will require changes to all Issuer/Certificate resources you have already created. A stable API will be cut and maintained once the initial phase of development is complete.
Prebuilt images for cert-manager are made available on Dockerhub.
This guide sets up cert-manager to run as a Deployment on your Kubernetes cluster. It will then go on to set up the Let's Encrypt ACME staging server as a Certificate issuer, and request a Certificate for a domain you control using both the HTTP01 and DNS01 challenge mechanisms.
By default, it will be configured to fulfil Certificate resources in all namespaces.
- Kubernetes cluster with CustomResourceDefinitions or ThirdPartyResource support
cert-manager uses custom resources/third party resources to represent Certificates and Issuers. In order for cert-manager to do this, we must register our custom API types with the Kubernetes API server. How we do this varies slightly from Kubernetes 1.7 onwards:
Kubernetes 1.7 introduced CustomResourceDefinitions.
A pre-made CRD for cert-manager is in docs/crd.yaml
. We can install it with:
$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/crd.yaml
As Kubernetes 1.6 does not support CustomResourceDefinitions, we must instead
use ThirdPartyResources, the older, now deprecated version of
CustomResourceDefinition. A pre-made TPR for cert-manager is in
docs/tpr.yaml
. We can install it with:
$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/tpr.yaml
To deploy the latest version of cert-manager, run:
$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/cert-manager.yaml
NOTE
- In future this may be replaced with a Helm chart.
- There are currently no official RBAC roles defined for cert-manager (see #34)
An Issuer in cert-manager describes a source for signed TLS certificates that cert-manager can use to fulfil Certificate resources in a Kubernetes cluster.
Within the Issuer's spec, we can define any configuration that may be required (e.g. credentials for updating a DNS server) on a per-issuer basis.
In the below example, you must remember to fill in the spec.acme.email
field.
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging.api.letsencrypt.org/directory
# Email address used for ACME registration
email: ""
# Name of a secret used to store the ACME account private key
privateKey: letsencrypt-staging
# ACME dns-01 provider configurations
dns-01:
# Here we define a list of DNS-01 providers that can solve DNS challenges
providers:
# We define a provider named 'prod-dns', with configuration for the
# clouddns challenge provider.
- name: prod-dns
clouddns:
# A secretKeyRef to a the google cloud json service account
serviceAccount:
name: clouddns-service-account
key: service-account.json
# The project in which to update the DNS zone
project: gcloud-prod-project
This is an example Issuer for the letsencrypt staging server. Here, we define one DNS provider, named clouddns, that can be used to solve ACME challenges.
HTTP-01 is also supported without additional configuration when using the ACME issuer.
Upon creation of the Issuer, any initial preparation for that Issuer will be performed, e.g. for the ACME issuer, an account is registered with the ACME server specified in the spec, and a corresponding private key generated too if required.
Multiple Issuers may exist at any one time, and they should be referenced by name in a Certificate resource. The Issuer and Certificate resource must exist in the same namespace, as cert-manager does not allow the traversal of namespace boundaries.
Now we have an Issuer configured, we can create a Certificate resource that uses it. A Certificate represents the lifecycle of a TLS certificate in your cluster. When a Certificate is created, cert-manager will verify the certificate is valid for the requested domains and if not, will attempt to retrieve a signed Certificate from the specified Issuer.
## Example Certificate that uses multiple challenge mechanisms to obtain
## a SAN certificate for multiple domains from the letsencrypt-staging issuer.
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
spec:
# The name of the Kubernetes secret resource to store the signed TLS keypair
secretName: example-com
# The Issuer to use for this certificate
issuer: letsencrypt-staging
# A list of domains to include on the TLS certificate
domains:
- example.com
- www.example.com
- example2.com
acme:
# A pairing of domains to challenge types for the ACME provider to use
# when attempting to validate domain ownership for the listed domains
config:
- domains:
- example.com
- www.example.com
http-01:
ingressClass: nginx
- domains:
- example2.com
dns-01:
provider: prod-dns
Currently, cert-manager does not log Events on Certificates or Issuers to the Kubernetes Events API (see #54).
Until then, we can view the logs of cert-manager with the following:
$ kubectl logs -l app=cert-manager
2017/08/29 12:54:37 Preparing Certificate 'default/test-jetstack-net'
2017/08/29 12:54:37 getting private key for acme issuer default/letsencrypt-staging
2017/08/29 12:54:37 need to get authorizations for [test.jetstack.net]
2017/08/29 12:54:37 requested authorizations for [test.jetstack.net]
2017/08/29 12:54:37 picking challenge type for domain 'test.jetstack.net'
2017/08/29 12:54:37 using challenge type http-01 for domain 'test.jetstack.net'
2017/08/29 12:54:37 presenting challenge for domain test.jetstack.net, token FdVsxK2U1NRqTpEtFux29xy-0SVkcHc2qbguttdZLy8 key FdVsxK2U1NRqTpEtFux29xy-0SVkqHc2qbguttdZLy8.HwRbVJxMBmV9fJ9UxUtbN5tvjnEeCTtHnH5G9JLSYhc
2017/08/29 12:54:38 waiting for key to be available to acme servers for domain test.jetstack.net
2017/08/29 12:54:38 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:44 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:49 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:54 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:54:59 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:55:04 [test.jetstack.net] Error self checking HTTP01 challenge: wrong status code '503'
2017/08/29 12:55:09 [test.jetstack.net] HTTP01 challenge self checking passed
2017/08/29 12:55:09 accepting http-01 challenge for domain test.jetstack.net
2017/08/29 12:55:09 waiting for authorization for domain test.jetstack.net (https://acme-staging.api.letsencrypt.org/acme/challenge/MEFHD2piP1SpkG3tMcE9CRldMO-pS7OqzeJs6AK7AiE/1704174337)...
2017/08/29 12:55:09 got successful authorization for domain test.jetstack.net
2017/08/29 12:55:09 Finished preparing Certificate 'default/test-jetstack-net'
2017/08/29 12:55:09 [default/test-jetstack-net] Issuing certificate...
2017/08/29 12:55:15 successfully got certificate: domains=[test.jetstack.net] url=https://acme-staging.api.letsencrypt.org/acme/cert/03ed2ed8bac6c402a04ef8d9e83a536ad823
2017/08/29 12:55:15 [default/test-jetstack-net] Successfully issued certificate (test-jetstack-net)
2017/08/29 12:55:15 [default/test-jetstack-net] Scheduling renewal in 1438 hours
2017/08/29 12:55:15 finished processing work item
You can also check the signed TLS keypair exists with:
$ kubectl get secret -o yaml example-com
You should see a base64 encoded TLS keypair if issuance was successful.
For further documentation, please check the /docs directory in this repository.
If you encounter any issues whilst using cert-manager, and your issue is not documented, please file an issue.
We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project.
Please take a look at our issue tracker if you are unsure where to start with getting involved!
We also use the #kube-lego channel on kubernetes.slack.com for chat relating to the project.
Developer documentation should soon be available at docs/devel.
The list of releases is the best place to look for information on changes between releases.