Tech memo

Appearance

Posted at 2025-03-23

cert-managerのインストール

目次

概要

  • kubernetesクラスターにTLS認証のcert-managerをインストールする
  • DNSはCloudflareを使用する
  • ワイルドカード証明書を取得し、証明書を各アプリケーションのnamespaceへ配置する

環境

  • 前回の手順でCiliumをインストール済

事前準備

こちら参考にCloudflareのAPI Tokenを取得する

Reflectorのインストール

Reflectorを使用して、証明書のSecretを各アプリケーションのnamespaceへ配置する

Helmリポジトリ追加

sh
helm repo add emberstack https://emberstack.github.io/helm-charts --force-update

Helmインストール

sh
helm upgrade --install reflector emberstack/reflector

ここまでの実行ログ

log
carm1:~$ helm repo add emberstack https://emberstack.github.io/helm-charts --force-update
"emberstack" has been added to your repositories
carm1:~$ helm upgrade --install reflector emberstack/reflector
Release "reflector" does not exist. Installing it now.
NAME: reflector
LAST DEPLOYED: Sun Mar 23 01:39:16 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Reflector can now be used to perform automatic copy actions on secrets and configmaps.
carm1:~$

cert-managerのインストール

Helmリポジトリ追加

sh
helm repo add jetstack https://charts.jetstack.io --force-update

values.ymlを作成

sh
mkdir -p ~/yaml/cert-manager
cat <<EOF > ~/yaml/cert-manager/values_cert.yml
crds:
  enabled: true
EOF

Helmインストール

sh
helm upgrade --install cert-manager jetstack/cert-manager -n cert-manager --create-namespace -f ~/yaml/cert-manager/values_cert.yml

ここまでの実行ログ

log
carm1:~$ helm repo add jetstack https://charts.jetstack.io --force-update
"jetstack" has been added to your repositories
carm1:~$ mkdir -p ~/yaml/cert-manager
cat <<EOF > ~/yaml/cert-manager/values_cert.yml
crds:
  enabled: true
EOF
carm1:~$ helm upgrade --install cert-manager jetstack/cert-manager -n cert-manager --create-namespace -f ~/yaml/cert-manager/values_cert.yml
Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Sun Mar 23 01:43:39 2025
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.17.1 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

マニフェスト

Cloudflare Secret

CloudflareのAPI Tokenをbase64エンコード

sh
API_TOKEN=$(echo -n "MyToken" | base64)

マニフェストをapply

sh
cat <<EOF > ~/yaml/cert-manager/secret.yml
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare
  namespace: cert-manager
type: Opaque
data:
  token: ${API_TOKEN}
EOF
kubectl apply -f ~/yaml/cert-manager/secret.yml

Issuer

letsencrypt serverはstagingにする 動作確認が済んだら本番環境のURLhttps://acme-v02.api.letsencrypt.org/directoryに変更する

sh
cat <<EOF > ~/yaml/cert-manager/issuer.yml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-dns
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-dns-key
    solvers:
    - dns01:
        cloudflare:
          email: [email protected]
          apiTokenSecretRef:
            name: cloudflare
            key: token
EOF
kubectl apply -f ~/yaml/cert-manager/issuer.yml

Certificate

spec.secretTemplate.annotations以下に証明書を配置したいnamespaceを記載する

sh
cat <<EOF > ~/yaml/cert-manager/cert.yml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-hoge-com
  namespace: cert-manager
spec:
  secretName: wildcard-hoge-com-tls
  dnsNames:
    - "*.hoge.com"
  issuerRef:
    name: letsencrypt-dns
    kind: Issuer
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "nginx1,nginx2"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "nginx1,nginx2"
EOF

namespaceを作成

sh
kubectl create ns nginx1
kubectl create ns nginx2

マニフェストをapply

sh
kubectl apply -f ~/yaml/cert-manager/cert.yml

証明書が作成されたことを確認

sh
kubectl get certificate -n cert-manager

実行ログ

log
kcm1:~$ kubectl get certificate -n cert-manager
NAME                 READY   SECRET                   AGE
wildcard-hoge-com   True    wildcard-hoge-com-tls   13d

証明書がアプリケーションのnamespaceへ配置されたことを確認

sh
kubectl get secret -A

実行ログ

log
kcm1:~$ kubectl get secret -A
NAMESPACE         NAME                                                                             TYPE                 DATA   AGE
nginx1            wildcard-hoge-com-tls                                                           kubernetes.io/tls    2      13d
nginx2            wildcard-hoge-com-tls                                                           kubernetes.io/tls    2      21h

Copyright ©︎ 2025-