cert-manager

Edit on GitHub

/services/cert-manager

Type

Helm

Namespace

cert-manager

Overview

The cert-manager service is an installation of cert-manager from its Helm chart repository. It creates TLS certificates via Let’s Encrypt and automatically renews them.

This service is only deployed on clusters managed by SQuaRE. If a site uses some other process to manage its certificates, it is the responsibility of that site’s administrative team to acquire and deploy those certificates.

cert-manager creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. Set config.createIssuer to false for environments where cert-manager should be installed but not use a Route 53 cluster issuer. For more information, see Hostnames and TLS.

Using cert-manager

To configure an ingress to use certificates issued by it, add a tls configuration to the ingress and the annotation:

cert-manager.io/cluster-issuer: "letsencrypt-dns"

This should be done on one and only one ingress for a deployment using cert-manager. The RSP conventionally uses the squareone service.

Upgrading

Upgrading cert-manager is generally painless. The only custom configuration that we use, beyond installing a cluster issuer, is to tell the Helm chart to install the Custom Resource Definitions.

Normally, it’s not necessary to explicitly test cert-manager after a routine upgrade. We will notice if the certificates expire, and have monitoring of the important ones. However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret in the squareone namespace. It should be recreated by cert-manager. (You may have to also delete the Certificate resource of the same name and let Argo CD re-create it to trigger this.) This may cause an outage for the Science Platform since it is using this certificate, so you may want to be prepared to port-forward to get to the Argo CD UI in case something goes wrong.

Guides