Working with cert-manager using Helm 3

You can manage certificates in Kubernetes clusters using cert-manager:

• Issue certificates (including self-signed ones) by sending requests to the sources that act as Certificate Authority (CA).

  Examples of the sources:

  • Cybersecurity solutions providers such as Venafi.
  • Certificate providers, such as Let’s Encrypt.
  • Storage for secrets, such as HashiCorp Vault.
  • Local containers containing the public part of a certificate and private key.

• Automatically reissue expiring certificates.

A certificate issued with cert-manager will be available to other Kubernetes resources. For example, it can be used by Ingress.

It will be shown how to install and upgrade cert-manager using Helm 3 in Kubernetes clusters. A self-signed certificate will also be issued to confirm cert-manager operability.

1. If you do not already have a Kubernetes cluster, then create one.

2. Determine the cluster's version.

3. Install the kubectl utility on the host from which you plan to connect to the cluster, if the utility is not already installed.

   Select the version of kubectl that is compatible with the cluster.

4. Make sure that you can connect to the cluster using kubectl.

5. Install Helm 3.0.0 or higher on the host from which you plan to connect to the cluster, if the utility is not already installed.

   Select the version of Helm that is compatible with the cluster.

1. Add the cert-manager repository:

   Copy
   helm repo add jetstack https://charts.jetstack.io

2. Update the charts cache:

   Copy
   helm repo update

3. List available cert-manager charts and their versions:

   Copy
   helm search repo jetstack -l

4. Select the cert-manager version to install on the cluster.

   See the compatibility table for the cert-manager and Kubernetes in the official cert-manager documentation.

1. Install the Custom Resource Definitions (CRDs) required by cert-manager to operate.

   The CRDs will be installed manually using kubectl. It is the advised approach as it is the most secure.

   Execute the command:

   Copy
   kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.3/cert-manager.crds.yaml

2. Install the selected vesion of cert-manager.

   This command installs a release named cert-manager in the cert-manager namespace. If such a namespace does not exist in the cluster, then it will be created automatically.

   Linux (bash) / macOS (zsh)

   Windows (PowerShell)

   Copy
   helm install cert-manager jetstack/cert-manager \  --version v1.11.3 \  --namespace cert-manager \  --create-namespace

   On successful completion of the installation Helm will display the message with:

   • STATUS: deployed.
   • NOTES: cert-manager v1.11.3 has been deployed successfully!.
   Example of the output

1. Verify that all the necessary pods have been successfully created in the cert-manager namespace. The pods should be in the Running state:

   Copy
   kubectl get pods -n cert-manager

   Example of the output

2. Issue a self-signed certificate for testing:

   1. Create a manifest:

      cert-manager-test-resources.yaml

      This manifest contains the descriptions of:

      • The cert-manager-test namespace. The Issuer and Certificate resources will be placed in this namespace.
      • The Issuer resource that is responsible for issuing self-signed certificates.
      • The Certificate resource that holds the parameters of the self-signed certificate to be issued.

   2. Apply the manifest:

      Copy
      kubectl apply -f cert-manager-test-resources.yaml

      The described resources will be created. In addition, cert-manager will automatically create other necessary resources.

   3. Verify that all the necessary resources have been successfully created in the cert-manager-test namespace:

      Copy
      kubectl get issuers,clusterissuers,certificates,certificaterequests,orders,challenges,secrets -n cert-manager-test

      The command's output should contain:

      • Issuer and Certificate in the READY: True status. Their configuration was described in the manifest.
      • CertificateRequest in the READY: True status.
      • Secret containing the certificate's data.
      Example of the output

   4. Verify the certificate's status:

      Copy
      kubectl describe certificate selfsigned-cert -n cert-manager-test

      If the certificate has been successfully issued:

      • Status information (Status) will contain the Certificate is up to date and has not expired string.
      • The Events list will contain the event with the The certificate has been successfully issued message.
      Example of the partial output

   If the certificate has been successfully issued, then cert-manager is correctly installed and operates normally.

A backup of the Issuer, ClusterIssuer and Certificate reosurces will be created. The following resources are not the part of the backup:

• CertificateRequests resources. It is not advised to include such resources in the backup, as it may complicate restoring from the backup.

• Secrets that directly store the certificate's data, including private key.

To create a backup, execute the command:

Copy
kubectl get -o yaml \  --all-namespaces \  issuer,clusterissuer,certificate \> cert-manager-backup.yaml

Read about advanced backups and restoring from backup in the official cert-manager documentation.

1. Check the version of the installed cert-manager release:

   Copy
   helm list --namespace cert-manager

2. Update the charts cache:

   Copy
   helm repo update

3. List available cert-manager charts and their versions:

   Copy
   helm search repo jetstack -l

4. Explore the official cert-manager documentation about the upgrade. It contains upgrade recommendations, a list of breaking changes, and other useful information.

   In particular, it is advised to upgrade one minor version at a time (for example, 1.11.3 → 1.12.3).

5. Select the version to upgrade to.

   See the compatibility table for the cert-manager and Kubernetes in the official cert-manager documentation.

6. Upgrade the CRDs installed in the cluster.

   Since these CRDs have been installed manually, upgrade them manually as well before upgrading the cert-manager itself.

   Copy
   kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.crds.yaml

7. Upgrade the cert-manager release to the selected version:

   Linux (bash) / macOS (zsh)

   Windows (PowerShell)

   Copy
   helm upgrade cert-manager jetstack/cert-manager \  --version v1.12.3 \  --namespace cert-manager

   On successful completion of the upgrade, Helm will display the message with:

   • Release "cert-manager" has been upgraded. Happy Helming!.
   • STATUS: deployed.
   • NOTES: cert-manager v1.12.3 has been deployed successfully!.
   Example of the output

1. If the Kubernetes resources, created to confirm cert-manager operability, are the test ones and you no longer need them, then delete them:

   Copy
   kubectl delete -f cert-manager-test-resources.yaml

2. If cert-manager has been installed for testing purposes and you no longer need it, then delete all resources associated with it:

   1. Make sure that there are no resources created by cert-manager in the cluster:

      Copy
      kubectl get issuers,clusterissuers,certificates,certificaterequests,orders,challenges --all-namespaces

      If there are such resources, delete them.

   2. Delete the cert-manager release:

      Copy
      helm delete cert-manager --namespace cert-manager

   3. Delete the cert-manager namespace:

      Copy
      kubectl delete ns cert-manager

   4. Delete the CRDs, installed in the cluster for cert-manager:

      Copy
      kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.crds.yaml