baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41f2ee2edcb18ed94aec6c777d3f813ccc8dc384
buun-stack/cert-manager/README.md
Masaki Yatsu 2b0687330c feat(kserve): install KServe
2025-11-10 21:31:35 +09:00

167 lines
3.6 KiB
Markdown
Raw Blame History

# cert-manager Module
cert-manager is a Kubernetes add-on that automates the management and issuance of TLS certificates from various sources. It provides a common API for certificate issuers and ensures certificates are valid and up to date.
## Features
- **Automatic Certificate Renewal**: Automatically renews certificates before they expire
- **Multiple Issuers**: Supports Let's Encrypt, HashiCorp Vault, Venafi, self-signed, and more
- **Kubernetes Native**: Uses Custom Resource Definitions (CRDs) for certificate management
- **Webhook Integration**: Provides admission webhooks for validating and mutating certificate resources
## Prerequisites
- Kubernetes cluster (installed via `just k8s::install`)
- kubectl configured with cluster admin permissions
## Installation
### Basic Installation
```bash
# Install cert-manager with default settings
just cert-manager::install
```
### Environment Variables
Key environment variables (set via `.env.local` or environment):
```bash
CERT_MANAGER_NAMESPACE=cert-manager # Namespace for cert-manager
CERT_MANAGER_CHART_VERSION=v1.19.1 # cert-manager Helm chart version
```
## Usage
### Check Status
```bash
# View status of cert-manager components
just cert-manager::status
```
### Create a Self-Signed Issuer
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
```
Apply the resource:
```bash
kubectl apply -f issuer.yaml
```
### Create a Certificate
```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: default
spec:
secretName: example-cert-tls
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
```
Apply the resource:
```bash
kubectl apply -f certificate.yaml
```
### View Certificates
```bash
# List all certificates
kubectl get certificates -A
# Describe a specific certificate
kubectl describe certificate example-cert -n default
```
## Components
cert-manager installs three main components:
1. **cert-manager**: Main controller managing Certificate resources
2. **cert-manager-webhook**: Admission webhook for validating and mutating cert-manager resources
3. **cert-manager-cainjector**: Injects CA bundles into webhooks and API services
## Used By
cert-manager is required by:
- **KServe**: For webhook TLS certificates
## Upgrade
```bash
# Upgrade cert-manager to a new version
just cert-manager::upgrade
```
## Uninstall
```bash
# Remove cert-manager
just cert-manager::uninstall
```
This will:
- Uninstall cert-manager Helm release
- Delete cert-manager CRDs
- Delete namespace
**Warning**: Uninstalling will remove all Certificate, Issuer, and ClusterIssuer resources.
## Troubleshooting
### Check Controller Logs
```bash
kubectl logs -n cert-manager -l app=cert-manager
```
### Check Webhook Logs
```bash
kubectl logs -n cert-manager -l app=webhook
```
### Verify CRDs
```bash
kubectl get crd | grep cert-manager.io
```
### Check Certificate Status
```bash
kubectl get certificate -A
kubectl describe certificate <name> -n <namespace>
```
Common issues:
- **Certificate not ready**: Check issuer configuration and logs
- **Webhook errors**: Ensure cert-manager webhook is running and healthy
- **DNS validation failures**: For ACME issuers, ensure DNS records are correct
## References
- [cert-manager Documentation](https://cert-manager.io/docs/)
- [cert-manager GitHub](https://github.com/cert-manager/cert-manager)
- [Helm Chart Configuration](https://artifacthub.io/packages/helm/cert-manager/cert-manager)
- [Supported Issuers](https://cert-manager.io/docs/configuration/)
Reference in New Issue View Git Blame Copy Permalink