DEV Community

Amritanshu Pandey
Amritanshu Pandey

Posted on

Create self signed certificates for Kubernetes using cert-manager

Install Cert manager in Kubernetes

Read this for up-to-date instructions: https://cert-manager.io/docs/installation/kubernetes/

# Kubernetes 1.16+
$ kubectl apply —validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.2/cert-manager.yaml
Enter fullscreen mode Exit fullscreen mode

Create a keypair secret

In this step create a new k8s secret that contains the TLS CA cert and key that is used by cert manager to issue new certificates. As a prerequisite, we need a CA certificate and associated key encoded in base64.

apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: default
data:
  tls.crt: <tls-key-base64-encoded>
  tls.key: <tls-key-base64-encoded>
Enter fullscreen mode Exit fullscreen mode

Create an issuer

Issuers are used by Cert manager to issue new certificates

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: default
spec:
  ca:
    secretName: ca-key-pair
Enter fullscreen mode Exit fullscreen mode

Create certificates

This creates new certificate using the issuer and CA key pair created earlier. In the following example, the certificate is stored as k8s secret k8s-xps-lan in default namespace.

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: k8s-xps-lan
  namespace: default
spec:
  secretName: k8s-xps-lan
  issuerRef:
    name: ca-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
  commonName: k8s.xps.lan
  organization:
  - XPS.LAN
  dnsNames:
  - gitlab.xps.lan
  - minio.xps.lan
  - registry.xps.lan
  - k8s.xps.lan
  - kibana.xps.lan
  - elastic.xps.lan
Enter fullscreen mode Exit fullscreen mode

In a separate post, we will see how this certificate can be used by ingress-nginx and other applications.

Top comments (1)

Collapse
 
manish_jain_3847713b19e18 profile image
Manish Jain

I followed this step. And then, I added the CA.crt in to local root trusted store. And updated my local hosts file.

But, still the connection was not trusted. But, certificate shows that issuer is acutally, ca-issuer.

Kindly help.

Regards
Manish