cert-manager

16 commands

16 shown

Install cert-manager via Helm Install cert-manager with CRDs into its own namespace helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true #cert-manager#tls#k8s#helm Check cert-manager pods Verify all cert-manager components are running kubectl get pods -n cert-manager #cert-manager#tls#k8s#debug List certificates List all Certificate resources across namespaces kubectl get certificates -A #cert-manager#tls#k8s Describe certificate Show status and events for a Certificate resource kubectl describe certificate my-cert -n default #cert-manager#tls#k8s#debug List certificate requests List all CertificateRequest objects kubectl get certificaterequests -A #cert-manager#tls#k8s Create ClusterIssuer (Let's Encrypt) Apply a ClusterIssuer manifest for Let's Encrypt ACME kubectl apply -f clusterissuer-letsencrypt.yaml #cert-manager#tls#letsencrypt#acme Check ClusterIssuers List all ClusterIssuer resources and their ready status kubectl get clusterissuers #cert-manager#tls#issuer Manually trigger renewal Force cert-manager to renew a certificate immediately kubectl annotate certificate my-cert cert-manager.io/issueTime="$(date -u +%Y-%m-%dT%H:%M:%SZ)" --overwrite #cert-manager#tls#renew View cert-manager logs Stream logs from the main cert-manager controller kubectl logs -n cert-manager deploy/cert-manager -f #cert-manager#tls#logs#debug cmctl check API Verify cert-manager API is ready using the cmctl CLI cmctl check api #cert-manager#tls#cmctl#cli Create ClusterIssuer (Let's Encrypt) Create Let's Encrypt prod ClusterIssuer with HTTP-01 solver kubectl apply -f - <<EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: admin@example.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx EOF #cert-manager#tls#letsencrypt#acme Force certificate renewal Trigger immediate reissue without waiting for the renewal window; watch a new CertificateRequest spawn cmctl renew <name> -n <ns> #cert-manager#tls#secrets#k8s Certificate status playbook End-to-end view: Certificate, Request, Order, Challenge and the exact ACME failure reason cmctl status certificate <name> -n <ns> #cert-manager#tls#troubleshooting#debug Inspect issued secret contents Decode the tls.crt and show issuer, SANs, validity without manual openssl x509 piping cmctl inspect secret <name> -n <ns> #cert-manager#tls#secrets#security DNS01 Route53 ClusterIssuer DNS01 issuer for wildcard certs; IRSA/secret must grant route53 change-record perms kubectl apply -f - <<EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-dns spec: acme: server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-dns solvers: - dns01: route53: region: us-east-1 hostedZoneID: <id> EOF #cert-manager#tls#dns#cloud Stuck ACME challenges List pending validations and read the propagation/self-check error blocking issuance kubectl get challenges -A -o wide && kubectl describe challenge -n <ns> <name> #cert-manager#tls#dns#troubleshooting
no commands match