Skip to content

Using the Kubernetes integration

The cert-manager plug-in creates certificates automatically when certificate resources are created in Kubernetes or when Ingress controllers are annotated with TLS annotations.

Here is an example of a certificate resource file that requests a certificate from Venafi Cloud using the issuer that was previously created:

    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
      name: example-venafi-localhost
      namespace: cert-manager-example
    spec:
        secretName: cert4-venafi-localhost
        IssuerRef:
            name: cloud-devops-issuer
        commonName: example.venafi.localhost

The kubectl command can then be used to create a certificate resource, assuming that the certificate resource file is saved as a file named cert.yaml:

    $kubectl create -f cert2.yaml

For ingress controllers, the issuer is configured as an annotation. If the TLS annotation is specified, the cert-manager plug-in will request a certificate that contains the domain name listed in the hosts and store the certificate and private key in the Kubernetes secret identified by ‘secretName’.

Here’s an example ingress resource file:

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
        name: hello-ingress
        annotations:
            certmanager.k8s.io/issuer: “cloud-devops-issuer”
            nginx.ingress.kubernetes.io/secure-backends: "true"
            nginx.ingress.kubernetes.io/configuration-snippet: error_log 
    /var/log/nginx/apperror.log debug;
        nginx.ingress.kubernetes.io/configuration-snippet: access_log  /var/log/nginx/appaccess.log upstreaminfo if=$loggable;
    spec:
        tls:
            - secretName: hellodemo-venafi-localhost
              hosts:
               - hellodemo.venafi.localhost
        rules:
            - host: hellodemo.venafi.localhost
              http:
                paths:
                - path: /
                backend:
                    serviceName: hello-node
                    servicePort: 8080