Using the Kubernetes integration¶
The cert-manager plug-in creates certificates automatically when certificate resources are created in Kubernetes or when Ingress controllers are annotated with TLS annotations.
Here is an example of a certificate resource file that requests a certificate from Venafi Cloud using the issuer that was previously created:
apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: example-venafi-localhost namespace: cert-manager-example spec: secretName: cert4-venafi-localhost IssuerRef: name: cloud-devops-issuer commonName: example.venafi.localhost
The kubectl command can then be used to create a certificate resource, assuming that the certificate resource file is saved as a file named cert.yaml:
$kubectl create -f cert2.yaml
For ingress controllers, the issuer is configured as an annotation. If the TLS annotation is specified, the cert-manager plug-in will request a certificate that contains the domain name listed in the hosts and store the certificate and private key in the Kubernetes secret identified by ‘secretName’.
Here’s an example ingress resource file:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-ingress annotations: certmanager.k8s.io/issuer: “cloud-devops-issuer” nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes.io/configuration-snippet: error_log /var/log/nginx/apperror.log debug; nginx.ingress.kubernetes.io/configuration-snippet: access_log /var/log/nginx/appaccess.log upstreaminfo if=$loggable; spec: tls: - secretName: hellodemo-venafi-localhost hosts: - hellodemo.venafi.localhost rules: - host: hellodemo.venafi.localhost http: paths: - path: / backend: serviceName: hello-node servicePort: 8080