Install cert-manager in k3s with local CA

Installs and configures cert-manager on a Kubernetes cluster using a self-hosted CA. cert-manager automates the issuance and renewal of TLS certificates via a ClusterIssuer backed by your own CA key and certificate.

Create namespace

kubectl create namespace cert-manager

Add Helm repository

helm repo add jetstack https://charts.jetstack.io
helm repo update

Install cert-manager

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --set crds.enabled=true

Create CA secret and ClusterIssuer

kubectl create secret tls my-local-ca-secret \
  --namespace cert-manager \
  --cert=/local-ca/ca.pem \
  --key=/local-ca/ca.key

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: local-ca-issuer
spec:
  ca:
    secretName: my-local-ca-secret
EOF

Test: issue a certificate

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-test-certificate
  namespace: istio-system
spec:
  secretName: my-test-certificate-secret
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  commonName: api.gmk.lan
  isCA: false
  usages:
    - server auth
    - client auth
  dnsNames:
    - api.gmk.lan
    - test.api.gmk.lan
  issuerRef:
    name: local-ca-issuer
    kind: ClusterIssuer
EOF

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Install cert-manager in k3s with local CA

Create namespace

Add Helm repository

Install cert-manager

Create CA secret and ClusterIssuer

Test: issue a certificate

FilesExpand file tree

readme.md

Latest commit

History

readme.md

File metadata and controls

Install cert-manager in k3s with local CA

Create namespace

Add Helm repository

Install cert-manager

Create CA secret and ClusterIssuer

Test: issue a certificate