cert-manager¶
Edit on GitHub |
|
Type |
|
Namespace |
|
Overview
The cert-manager service is an installation of cert-manager from its Helm chart repository.
It creates TLS certificates via Let’s Encrypt and automatically renews them.
This service is only deployed on clusters managed by SQuaRE. If a site uses some other process to manage its certificates, it is the responsibility of that site’s administrative team to acquire and deploy those certificates.
cert-manager creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default.
Set config.createIssuer to false for environments where cert-manager should be installed but not use a Route 53 cluster issuer.
For more information, see Hostnames and TLS.
Using cert-manager
To configure an ingress to use certificates issued by it, add a tls configuration to the ingress and the annotation:
cert-manager.io/cluster-issuer: "letsencrypt-dns"
This should be done on one and only one ingress for a deployment using cert-manager.
The RSP conventionally uses the squareone service.
Upgrading
Upgrading cert-manager is generally painless. The only custom configuration that we use, beyond installing a cluster issuer, is to tell the Helm chart to install the Custom Resource Definitions.
Normally, it’s not necessary to explicitly test cert-manager after a routine upgrade.
We will notice if the certificates expire, and have monitoring of the important ones.
However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret in the squareone namespace.
It should be recreated by cert-manager.
(You may have to also delete the Certificate resource of the same name and let Argo CD re-create it to trigger this.)
This may cause an outage for the Science Platform since it is using this certificate, so you may want to be prepared to port-forward to get to the Argo CD UI in case something goes wrong.
Guides
See also