Configure Cert ManagerΒΆ

Cert Manager generates certificates and keys to enable Zero-trust encrypted communication between pod workloads in Kubernetes. For this setup, we recommend an open-source version of Cert Manager optimized for the ARM architecture.

To successfully configure Cert-Manager, follow these steps:

  • Install the Cert Manager.

    Note: After installing the cert-manager, make sure that you wait for a minute for cert-manager to be ready. For more information, see (optional) Wait for cert-manager webhook to be ready.

  • Create Clusterissuer or Issuer: To start the process of issuing certificates, it is necessary to establish a ClusterIssuer or Issuer resource.

    Note: F5 tested BIG-IP Next for Kubernetes with Jetstack Cert Manager v1.16.1. Ensure that the global.certmgr.clusterIssuer parameter in flo-value.yaml is properly updated with the metadata.name value of the cluster issuer. In the example below, the metadata.name value is arm-ca-cluster-issuer. Ensure that the certificate.clusterIssuer parameter in bnkgatewayclass-cr.yaml is properly updated with the metadata.name value of the cluster issuer. In the example below, the metadata.name value is arm-ca-cluster-issuer.

    Sample Cluster Issuer:

    
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
    name: selfsigned-cluster-issuer
spec:
    selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: arm-ca
    namespace: cert-manager
spec:
    isCA: true
    commonName: arm-ca
    secretName: arm-ca
    issuerRef:
        name: selfsigned-cluster-issuer
        kind: ClusterIssuer
        group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: arm-ca-cluster-issuer
spec:
  ca:
    secretName: arm-ca

    1. Apply the ClusterIssuer.

      kubectl apply -f cluster-issuer.yaml

      Sample Output:

      
clusterissuer.cert-manager.io/selfsigned-cluster-issuer created
certificate.cert-manager.io/arm-ca created
clusterissuer.cert-manager.io/arm-ca-cluster-issuer created

    2. Verify the created ClusterIssuer.

      kubectl get clusterissuer

      Sample Output:

      arm-ca-cluster-issuer       True    83s
selfsigned-cluster-issuer   True    83s

For more information on how to use cert-manager to automatically provision Certificates for Ingress resources, see Annotated Ingress resource.