Kubestack

cert-manager

by  Jetstack

cert-manager provides Kubernetes native certificate management. It automates provisioning of certificates from configurable issuers and renews these certificates before expiry to keep them valid and up to date.

TL;DR:

  • Installing, updating or removing follows Kubestack's GitOps flow.
  • Instructions assume the default repository layout.
  • Bases can be consumed as-is or customized.
  • Step-by-step instructions are framework specific but bases can be used independently.

Install

  1. Vendor the base

    # Run these commands from the root of your Kubestack infra repository
    wget https://storage.googleapis.com/catalog.kubestack.com/cert-manager-v1.3.1-kbst.0.zip
    unzip -d manifests/bases/ cert-manager-v1.3.1-kbst.0.zip
    rm cert-manager-v1.3.1-kbst.0.zip

  2. Include resource in apps overlay

    cd manifests/overlays/apps
    kustomize edit add resource ../../bases/cert-manager/base

  3. Commit and push

    cd -
    git checkout -b add-cert-manager
    git add manifests/bases/cert-manager manifests/overlays/apps/kustomization.yaml
    git commit -m "Add cert-manager v1.3.1-kbst.0 base"
    git push origin add-cert-manager

  4. Review PR and merge

    Finally, review and merge the PR into master. Once it's been successfully applied against the Ops-Cluster set a prod-deploy tag to also apply the change against the Apps-Cluster.

Update

To update the operator delete the previously vendored base and then vendor the new version.

  1. Delete the previous vendored version

    # Run these commands from the root of your Kubestack infra repository
    rm -r manifests/bases/cert-manager

  2. Vendor the new version

    # Run these commands from the root of your Kubestack infra repository
    wget https://storage.googleapis.com/catalog.kubestack.com/cert-manager-v1.3.1-kbst.0.zip
    unzip -d manifests/bases/ cert-manager-v1.3.1-kbst.0.zip
    rm cert-manager-v1.3.1-kbst.0.zip

  3. Commit and push

    git checkout -b update-cert-manager
    git add manifests/bases/cert-manager
    git commit -m "Update cert-manager base to v1.3.1-kbst.0"
    git push origin update-cert-manager

Remove

Operators often create resources based on custom objects. When removing an operator, follow a two-step process to ensure operator provisioned resources are purged properly.

  1. Remove all the operator's custom objects.
  2. Once the operator had time to de-provision all resources it created, follow the instructions below to remove the operator itself.

  1. Remove resource from apps overlay

    cd manifests/overlays/apps
    kustomize edit remove resource ../../bases/cert-manager/base

  2. Delete the vendored base from your repository

    cd -
    # Run these commands from the root of your Kubestack infra repository
    rm -r manifests/bases/cert-manager

  3. Commit and push

    git checkout -b remove-cert-manager
    git add manifests/bases/cert-manager
    git commit -m "Remove cert-manager base"
    git push origin remove-cert-manager