Skip to content

Cert-Manager

Cert-manager is a X.509 certificate controller for Kubernetes-like workloads. It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry. This Add-on deploys this controller in an Amazon EKS Cluster.

Usage

To deploy cert-manager Add-on via EKS Blueprints Addons, reference the following parameters under the module.eks_blueprints_addons.

module "eks_blueprints_addons" {

  enable_cert_manager         = true
}

Helm Chart customization

It's possible to customize your deployment using the Helm Chart parameters inside the cert-manager configuration block:

  cert-manager = {
    chart_version    = "v1.11.1"
    namespace        = "cert-manager"
    create_namespace = true
  }

You can find all available Helm Chart parameter values here

Validation

  1. Validate if the Cert-Manger Pods are Running.
kubectl -n cert-manager get pods
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-5989bcc87-96qvf              1/1     Running   0          2m49s
cert-manager-cainjector-9b44ddb68-8c7b9   1/1     Running   0          2m49s
cert-manager-webhook-776b65456-k6br4      1/1     Running   0          2m49s
  1. Create a SelfSigned ClusterIssuer resource in the cluster.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
spec:
  selfSigned: {}
kubectl get clusterissuers -o wide selfsigned-cluster-issuer
NAME                        READY   STATUS   AGE
selfsigned-cluster-issuer   True             3m
  1. Create a Certificate in a given Namespace.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example
  namespace: default
spec:
  isCA: true
  commonName: example
  secretName: example-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io
  1. Check the certificate status in it should be in Ready state, and be pointing to a secret created in the same Namespace.
kubectl get certificate -o wide
NAME      READY   SECRET           ISSUER                      STATUS                                          AGE
example   True    example-secret   selfsigned-cluster-issuer   Certificate is up to date and has not expired   44s

kubectl get secret example-secret
NAME             TYPE                DATA   AGE
example-secret   kubernetes.io/tls   3      70s

Resources

GitHub Repo Helm Chart