The following procedures configure Cert-manager.io to request and receive certificates using DNS-01 and HTTP-01 validation. Configuring Cert-manager.io requires configuring a series of YAML files, then applying those files to Cert-manager.io. After applying the files, Cert-manager.io will automatically request the files from Certificate Enrollment Gateway.

For HTTP-01 validation, the following example uses Cert-manager.io's ingress-shim features. In this example, you will create a dummy back-end service (echo), and then an Ingress. The Ingress routes traffic into the cluster, and requests TLS certificates for the services to which it is routing.

For this example, you will create the following files:

• dns-issuer.yaml, to define the DNS issuer for DNS-01 validation.
• dns-cert.yaml, to define the DNS certificate for DNS-01 validation.
• http-issuer.yaml, to define the HTTP issuer for HTTP-01 validation.
• echo.yaml, to define the echo (dummy back-end) service for HTTP-01 validation.
  In this example, the echo service is a dummy back-end to show how to secure an existing service on the Kubernetes cluster.
  
• http-ingress.yaml, to define the Ingress for HTTP-01 validation.

To create the YAML files for Cert-manager.io

1. Create a new file named dns-issuer.yaml with the following contents. Read the comments and modify the content as required.

   ---

   apiVersion: cert-manager.io/v1

   kind: Certificate

   metadata:

   name: test-dns

   namespace: default

   spec:

   dnsNames:

   #NOTE: This only works if the DNS ClusterIssuer has permission to update "example.com" records

   - dns.example.com

   secretName: test-dns

   issuerRef:

   name: ceg-issuer-dns

   kind: ClusterIssuer

2. Create a new file named dns-cert.yaml with the following contents. Read the comments and modify the content as required.

   ---

   apiVersion: cert-manager.io/v1

   kind: Certificate

   metadata:

   name: test-dns

   namespace: default

   spec:

   dnsNames:

   #NOTE: This only works if the DNS ClusterIssuer has permission to update "example.com" records

   - dns.example.com

   secretName: test-dns

   issuerRef:

   name: ceg-issuer-dns

   kind: ClusterIssuer

3. Create a new file named http-issuer.yaml with the following contents. Read the comments and modify the content as required.

   ---

   apiVersion: cert-manager.io/v1

   kind: ClusterIssuer

   metadata:

   name: ceg-issuer-http

   namespace: cert-manager

   spec:

   acme:

   # Uncomment the following line to allow insecure TLS connections.

   #skipTLSVerify: true

   # The ACME server URL

   server: https://cegserver.example.com/acme/tenant1/example_ca1/

   privatessl_tls_client/directory

   # Email address used for ACME registration

   email: certmanager@example.com

   # Name of a secret used to store the ACME account private key

   privateKeySecretRef:

   name: ceg-acme-account-key-http

   # Enable the HTTP-01 challenge provider

   solvers:

   - http01:

   ingress:

   class: traefik

4. Create a new file named echo.yaml with the following contents.

   ---

   apiVersion: v1

   kind: Service

   metadata:

   name: echo

   spec:

   ports:

   - port: 80

   targetPort: 5678

   selector:

   app: echo

   ---

   apiVersion: apps/v1

   kind: Deployment

   metadata:

   name: echo

   spec:

   selector:

   matchLabels:

   app: echo

   replicas: 1

   template:

   metadata:

   labels:

   app: echo

   spec:

   containers:

   - name: echo

   image: hashicorp/http-echo

   args:

   - "-text=echo"

   ports:

   - containerPort: 5678

5. Create a new file named http-ingress.yaml with the following contents. Read the comments and modify the content as required.

   ---

   apiVersion: networking.k8s.io/v1

   kind: Ingress

   metadata:

   name: echo1-traefik-ingress

   namespace: default

   annotations:

   kubernetes.io/ingress.class: traefik

   cert-manager.io/cluster-issuer: ceg-issuer-http

   spec:

   tls:

   - hosts:

   # Change the hostname here to the one you want a TLS Certificate for.

   # NOTE: CEG's must resolve the following hostname to cert-manager.io's IP Address.

   - echo1.example.com

   secretName: echo-tls

   rules:

   # The following host must match the host in the "tls" section a few lines up.

   - host: echo1.example.com

   http:

   paths:

   - path: /

   pathType: Prefix

   backend:

   service:

   name: echo

   port:

   number: 80

To apply the YAML files to Kubernetes and request certificates

1. Apply the files with the following commands.

   kubectl apply -f dns-issuer.yaml

   kubectl apply -f dns-cert.yaml

   kubectl apply -f http-issuer.yaml

   kubectl apply -f http-echo.yaml

   kubectl apply -f http-ingress.yaml
2. After applying the files, Cert-manager.io has been configured to request two different certificates over two different ClusterIssuers, one certificate for DNS-01 validation, and one certificate for HTTP-01 validation. The certificates will automatically be requested by Cert-manager.io.

3. To view the status of all cert-manger.io ACMEv2 objects, enter the following command:

   kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces