Cert Manager Logo

This is the known good design for Cert Manager using Helm or ArgoCD.

Overview

Cert Manager Overview

Cert Manager is a Kubernetes-native tool that automates the management and issuance of TLS certificates. It integrates seamlessly with certificate authorities like Let’s Encrypt and HashiCorp Vault, making it a vital component for securing Kubernetes workloads. Cert Manager handles certificate lifecycle management, including issuance, renewal, and revocation, ensuring your clusters remain compliant with security standards.

Key Features

  • Automated Certificate Renewal: Avoid downtime caused by expired certificates.
  • Support for Multiple Certificate Authorities: Flexible configuration for various environments.
  • Built-in Validation Mechanisms: Includes HTTP-01, DNS-01, and TLS-ALPN-01 challenges.
  • Custom Resource Definitions (CRDs): Extends Kubernetes functionality with Certificate and Issuer resources.

Cert Manager Diagram

Implementation Details

Option A: Helm Installation

Step 1: Install Cert Manager

Install Cert Manager using Helm to manage the CRDs and its deployment:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.9.1 \
  --set installCRDs=true

For more detailed steps on using ArgoCD to install applications like Cert Manager, refer to the ArgoCD Post.

You can also refer to the Rancher Documentation for specific guidance on installing Cert Manager for Rancher.

Step 2: Verify Installation

Check if the Cert Manager pods are running:

kubectl get pods -n cert-manager

Expected output:

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-xxxxxxx-xxxxx                 1/1     Running   0          1m
cert-manager-cainjector-xxxxxxx-xxxxx      1/1     Running   0          1m
cert-manager-webhook-xxxxxxx-xxxxx         1/1     Running   0          1m

Step 3: Create a ClusterIssuer

The ClusterIssuer defines the certificate authority used for issuing certificates. For Let’s Encrypt, use the following configuration:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the ClusterIssuer:

kubectl apply -f cluster-issuer.yaml

Option B: ArgoCD Installation

Step 1: Install Cert Manager

To automate Cert Manager deployment using ArgoCD, create the following Application resource:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: cert-manager
  namespace: argocd
spec:
  destination:
    namespace: cert-manager
    server: https://kubernetes.default.svc
  project: cluster-services
  source:
    chart: cert-manager
    repoURL: https://charts.jetstack.io
    targetRevision: v1.16.2
    helm:
      parameters:
        - name: installCRDs
          value: 'true'
        - name: prometheus.enabled
          value: 'true'
        - name: prometheus.serviceMonitor.enabled
          value: 'true'
        - name: prometheus.serviceMonitor.namespace
          value: monitoring
        - name: featureGates
          value: ServerSideApply=true
        - name: extraArgs
          value: '{--dns01-recursive-nameservers=1.1.1.1:53}'
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Apply this configuration to ArgoCD:

kubectl apply -f cert-manager-argocd.yaml

Monitoring and Troubleshooting

Monitoring Certificates

Cert Manager exposes metrics compatible with Prometheus:

  1. Install Prometheus Operator in your cluster.
  2. Configure a ServiceMonitor for Cert Manager:
    apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  selector:
    matchLabels:
      app: cert-manager
  endpoints:
  - port: http-metrics

Common Issues

  • Challenge Validation Failure: Check the DNS records or Ingress configuration to ensure the challenge is reachable.
  • Rate Limits: Use staging servers for testing to avoid hitting Let’s Encrypt’s rate limits.

Considerations

  • Resource Allocation: Cert Manager’s webhook can be resource-intensive. Ensure your cluster has adequate resources.
  • Namespace Scope: Use Issuer for certificates within a namespace and ClusterIssuer for cluster-wide certificates.
  • Backup Certificates: Regularly back up secrets containing certificate keys to avoid downtime in case of data loss.
  • RBAC Permissions: Ensure the cert-manager service account has sufficient permissions in all relevant namespaces.