# Install
helm repo add jetstack <https://charts.jetstack.io>
helm repo update
# values ref <https://artifacthub.io/packages/helm/cert-manager/cert-manager>
# change what you want
helm install \\
cert-manager jetstack/cert-manager \\
--namespace cert-manager \\
--create-namespace \\
--version v1.6.1 \\
--set prometheus.enabled=true \\
--set webhook.timeoutSeconds=4 \\
--set installCRDs=true
# Issuer
# cf-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prd
spec:
acme:
email: [email protected]
server: <https://acme-v02.api.letsencrypt.org/directory>
privateKeySecretRef:
name: letsencrypt-prd
solvers:
- dns01: # Choose DNS01 providers <https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers>
cloudflare:
email: [email protected]
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
# cloudflare-api-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
type: Opaque
stringData:
api-token: <cloudflare-api-token>
Create Certificate ⇒ controller watch changes ⇒ issuer will be issue cert ⇒ store in secret
# Certificate
# zsnmwy-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: zsnmwy-net # define certificate name
namespace: default
spec:
secretName: zsnmwy-net-tls #key pair will be store here
issuerRef:
name: letsencrypt-prd
dnsNames:
- '*.zsnmwy.net'
$ k get certificate
NAME READY SECRET AGE
harbor-core-tls True harbor-core-tls 12h
harbor-notary-tls True harbor-notary-tls 12h
test-zsnmwy-net True test-zsnmwy-net-tls 13h
zsnmwy-net-tls True zsnmwy-net-tls 15h
If you add some annotations when create ingress crd , will be auto create certificate.