cert-manager for k8s

There is a cert-manager HELM package provided on k8s platform. It provides support for Let's Encrypt, and we can control to refresh it before its expiration (3 month).

install cert-manager

$ kubectl create ns cert-manager
$ kubectl apply -f cert-manager.crds.yaml
$ helm install cert-manager -n cert-manager cert-manager-v1.6.1.tgz -f install.cert-manager.values.yaml

Exchanging for external service usage

Create Certificate resource and wait for the CA to be seen in Secret.
Export the CA:

$ kubectl get secret wangkexiong.duckdns.org-tls -n certificate -o template --template='{{ index .data "tls.crt" }}' | base64 -d
$ kubectl get secret wangkexiong.duckdns.org-tls -n certificate -o template --template='{{ index .data "tls.key" }}' | base64 -d

Above crt and key file can be used by nginx directly. To make CA autorefresh, use cronjob to get latest CA.

$ cat /etc/nginx/nginx.conf

...
    server {
        listen       80 http2;
        listen       443 ssl http2;
        ssl_certificate     /etc/pki/nginx/wangkexiong.duckdns.org.crt;
        ssl_certificate_key /etc/pki/nginx/wangkexiong.duckdns.org.key;
        ssl_protocols  TLSv1.2;
...