This section describes how to deploy a single-node Kubernetes, and then how to deploy Cert-manager.io into it.
To deploy Kubernetes and Cert-manager.io
Install K3s Lightweight Kubernetes by running the following commands:
curl -sfL https://get.k3s.io | sh –export PATH=$PATH:/user/local/bin- Enable the use of kubectl permanently, by ensuring that
/usr/local/binappears as part of thePATHenvironment variable in the~/.bash_profilefile. Install Helm by running the following commands:
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bashecho "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> ~/.bash_profileexport KUBECONFIG=/etc/rancher/k3s/k3s.yamlAdd the Cert-manager.io repository to Helm by running the following commands:
helm repo add jetstack https://charts.jetstack.iohelm repo updateInstall Cert-manager.io using Helm by entering the following command:
helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager --set installCRDs=true --create-namespace --version v1.6.0-beta.0 --wait(Secure HTTP Only) If you want to use Cert-manager.io with trusted HTTPS connections, then you must add the TLS CA certificate chain into the cluster.Create a
private-ca-bundle.pemfile.This file contain a concatenation of all PEM certificates in the CA certificate chain, starting with the issuing CA first and ending with the root CA last. For example:
-----BEGIN CERTIFICATE-----MIIF0TCCA7mgAwIBAgIQCy......V8HUOts=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFUDCCAzigAwIBAgIQRv......XLy202FpMk40JO31gqbnDOusrY8=-----END CERTIFICATE-----Create a config-map from the
private-ca-bundle.pemfile by running the following command:kubectl create configmap private-ca-bundle -n cert-manager --from-file=private-ca-bundle.pemUpdate the Cert-manager.io deployment to use the config-map using Helm, by running the following command:
helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager \--version v1.6.0-beta.0 \--set installCRDs=true \--set volumes[0].name=ca-certs,volumes[0].configMap.name=private-ca-bundle \--set volumeMounts[0].name=ca-certs,volumeMounts[0].mountPath=/etc/ssl/certs \--wait --wait-for-jobs
You have now deployed a single-node Kubernetes cluster and installed Cert-manager.io. Certificate Enrollment Gateway’s TLS certificate chain is also trusted at the Cert-manager.io namespace, cluster, and operating system levels. The certificate chain still needs to be configured at the pod level.