Cert-Manager¶
Cert-manager is a X.509 certificate controller for Kubernetes-like workloads. It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry. This Add-on deploys this controller in an Amazon EKS Cluster.
Usage¶
To deploy cert-manager Add-on via EKS Blueprints Addons, reference the following parameters under the module.eks_blueprints_addons
.
Helm Chart customization¶
It's possible to customize your deployment using the Helm Chart parameters inside the cert-manager
configuration block:
You can find all available Helm Chart parameter values here
Validation¶
- Validate if the Cert-Manger Pods are Running.
kubectl -n cert-manager get pods
NAME READY STATUS RESTARTS AGE
cert-manager-5989bcc87-96qvf 1/1 Running 0 2m49s
cert-manager-cainjector-9b44ddb68-8c7b9 1/1 Running 0 2m49s
cert-manager-webhook-776b65456-k6br4 1/1 Running 0 2m49s
- Create a SelfSigned ClusterIssuer resource in the cluster.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}
kubectl get clusterissuers -o wide selfsigned-cluster-issuer
NAME READY STATUS AGE
selfsigned-cluster-issuer True 3m
- Create a Certificate in a given Namespace.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example
namespace: default
spec:
isCA: true
commonName: example
secretName: example-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-cluster-issuer
kind: ClusterIssuer
group: cert-manager.io
- Check the
certificate
status in it should be inReady
state, and be pointing to asecret
created in the same Namespace.
kubectl get certificate -o wide
NAME READY SECRET ISSUER STATUS AGE
example True example-secret selfsigned-cluster-issuer Certificate is up to date and has not expired 44s
kubectl get secret example-secret
NAME TYPE DATA AGE
example-secret kubernetes.io/tls 3 70s