Install certmanager in GKE

  1. Install crd
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml

2. Create a namespace cert-manager

kubectl create namespace cert-manager

3. Install cert-manager using helm

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install certmgr jetstack/cert-manager --namespace cert-manager

4. Create IAM service account with dns admin permission

PROJECT_ID=${PROJECT_ID}
gcloud iam service-accounts create dns01-solver --display-name "dns01-solver"
gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member serviceAccount:[email protected]$PROJECT_ID.iam.gserviceaccount.com \
   --role roles/dns.admin

5. Download the key.json file and create a secret in cert-manager namespace

gcloud iam service-accounts keys create key.json \
   --iam-account [email protected]$PROJECT_ID.iam.gserviceaccount.com
kubectl create secret generic clouddns-dns01-solver-svc-acct \
   --from-file=key.json -n cert-manager

6. Create a ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging 
  #name: letsencrypt-production
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    #server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
      #name: letsencrypt-production
    solvers:
    - dns01:
        cloudDNS:
          project: PROJECT_ID
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-svc-acct
            key: key.json 

7. Create a certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-cert 
  namespace: cert-manager 
spec:
  secretName: example-com-tls
  commonName: example.com
  issuerRef:
    name: letsencrypt-staging
    #name: letsencrypt-production
    kind: ClusterIssuer
  dnsNames:
  - example.com

It will create a secret, example-com-tls in cert-manager namespace

8. Use the secret and clusterissuer in ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    #cert-manager.io/cluster-issuer: letsencrypt-production
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # To solve redirect loop issue add the following
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
...
spec:
  rules:
  - host: example.com
...
  tls:
  - hosts:
    - example.com
    secretName: example-com-tls

Sometime you may get mixed-content issue. Use the following in your nginx config to solve it.

fastcgi_param HTTPS on;

Use staging first if everything works fine then un-comment “production” line and comment out “staging” line. To issue certificate for other domain you can repeat steps 7 and 8.

Refer: https://cert-manager.io/docs/configuration/acme/dns01/google/

Leave a Reply

Your email address will not be published. Required fields are marked *