# cert-manager
### Install
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
### cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: cert-manager
name: letsencrypt-istio
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: YOUR@EMAIL.ADDR #change your email
privateKeySecretRef:
name: letsencrypt-istio
solvers:
- selector: {}
dns01:
route53:
accessKeyID: YOUR_ACCESS_KEY_ID
region: ap-northeast-2
secretAccessKeySecretRef:
name: route53-credentials-secret
key: secret-access-key
### route53-credentials-secret SECRET 생성
aws_secret_access_key="$(aws configure get aws_secret_access_key)"
kubectl --namespace cert-manager create secret generic route53-credentials-secret --from-literal="secret-access-key=$aws_secret_access_key"
#### 생성 확인
kubectl describe secret route53-credentials-secret -n cert-manager
### certificate.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
namespace: istio-system # istio 설치경로
name: your-site-certificate
spec:
secretName: your-site-credential
dnsNames:
- "your-site.com"
commonName: "your-site.com"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-istio
### gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
namespace: your-ns
name: your-gw
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "your-site.com"
port:
name: http
number: 80
protocol: HTTP
- hosts:
- "your-site.com"
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: your-site-credential
### trouble shooting
kubectl describe certificaterequests.cert-manager.io -n istio-system
kubectl describe orders.acme.cert-manager.io -n istio-system
kubectl describe challenges.acme.cert-manager.io -n istio-system
## Links
- https://ddii.dev/kubernetes/cert-manager/#
- https://istio.io/latest/docs/ops/integrations/certmanager/
- https://lcc3108.github.io/articles/2020-12/certmanager
- https://cert-manager.io/docs/faq/troubleshooting/