Rancher Suite K8S Adventure - Chapter 010 - Cert-Manager

Rancher Suite K8S Adventure - Chapter 010 - Cert-Manager

A travelogue of converting from OpenStack to Suse's Rancher Suite for K8S including RKE2, Harvester, kubectl, helm.

The next step is to install cert-manager on the new Rancher RKE2 cluster.

The references are:

https://ranchermanager.docs.rancher.com/getting-started/quick-start-guides/deploy-rancher-manager/helm-cli

https://www.jetstack.io/open-source/cert-manager/

https://cert-manager.io/docs/

Add the repo for jetstack and rancher:

helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
helm repo add jetstack https://charts.jetstack.io
helm repo update

then verify:

vince@ubuntu:~$ helm repo list
NAME                 URL                                              
rancher-latest       https://releases.rancher.com/server-charts/latest

jetstack                https://charts.jetstack.io   
vince@ubuntu:~$ 

Create the namespace for rancher, we'll create the ns for jetstack as part of the install:

kubectl create namespace cattle-system

then verify

vince@ubuntu:~$ kubectl get namespaces | grep cattle-system
cattle-system     Active   30s
vince@ubuntu:~$ 

Next install the CRDs (Custom Resource Definitions) used by cert-manager:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml

Finally have helm create the cert-manager namespace (could have made it above... whatever) and install cert-manager:

helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.7.1

Lets take a look at the cert-manager namespace:

vince@ubuntu:~$ kubectl get all --namespace=cert-manager
NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-646c67487-kmrml               1/1     Running   0          112s
pod/cert-manager-cainjector-7cb8669d6b-wjdcz   1/1     Running   0          112s
pod/cert-manager-webhook-696c5db7ff-slrsv      1/1     Running   0          112s

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   10.43.61.195    <none>        9402/TCP   112s
service/cert-manager-webhook   ClusterIP   10.43.207.185   <none>        443/TCP    112s

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           112s
deployment.apps/cert-manager-cainjector   1/1     1            1           112s
deployment.apps/cert-manager-webhook      1/1     1            1           112s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-646c67487               1         1         1       112s
replicaset.apps/cert-manager-cainjector-7cb8669d6b   1         1         1       112s
replicaset.apps/cert-manager-webhook-696c5db7ff      1         1         1       112s
vince@ubuntu:~$ 

Obviously you'll have different IP addresses and times above, but it should look similar, plus or minus obvious blogging platform formatting issues.

Now its time to verify cert-manager works.  You can go thru the steps listed here, but its tedious to cut and paste:

https://cert-manager.io/docs/installation/verify/

The verification process has you install cmctl which requires brew which I don't have on Ubuntu (long story) so that's tedious.  Next the verification process has you look at the pods in the namespace (see above when we did a get all, its the first 'paragraph' above.  After that is a long process to create a YAML cert request and submit that to cert manager, then see if cert manager issues you a self signed cert per the YAML, finally delete it.  There's also a cert-manager-verifier tool:

https://github.com/alenkacz/cert-manager-verifier

However, unless it looks like something broken, the simplest way to test cert-manager would be to install Rancher, and as the plan is to install Rancher tomorrow, its probably OK to skip extensive testing.