cert-manager
This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.
Cert manager integration
This guide shows how to set up cert-manager integration with your virtual cluster.
Prerequisites​
-
Administrator access to a Kubernetes cluster: See Accessing Clusters with kubectl for more information. Run the command
kubectl auth can-i create clusterrole -Ato verify that your current kube-context has administrative privileges.infoTo obtain a kube-context with admin access, ensure you have the necessary credentials and permissions for your Kubernetes cluster. This typically involves using
kubectl configcommands or authenticating through your cloud provider's CLI tools. -
helm: Helm v3.10 is required for deploying the platform. Refer to the Helm Installation Guide if you need to install it. -
kubectl: Kubernetes command-line tool for interacting with the cluster. See Install and Set Up kubectl for installation instructions.
cert-manageroperator installed on your host cluster, see cert-manager installation guide.
Enable the integration​
Enable the cert-manager integration in your virtual cluster configuration:
integrations:
certManager:
enabled: true
This configuration:
- Enables the integration.
- Imports cluster-scoped
ClusterIssuersfrom your host cluster into the virtual cluster. - Exports namespaced Issuers and Certificates from the virtual cluster to the host cluster.
Create or update a virtual Cluster following the vCluster quick start
guide.
Set up cluster contexts​
Setting up the host and virtual cluster contexts makes it easier to switch between them.
export HOST_CTX="your-host-context"
export VCLUSTER_CTX="vcluster-ctx"
You can find your contexts by running kubectl config get-contexts
Setup the integration​
If you don't have cert-manager configured yet, follow these steps:
Virtual Cluster Create the
Issuer.tipThis should create a corresponding Issuer in the host cluster.
Create a file named
issuer.yaml:Issuercat <<EOF > issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Replace this email address with your own
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
ingressClassName: nginx
EOFApply to the virtual cluster:
Apply Issuer to virtual clusterkubectl --context=$VCLUSTER_CTX apply -f issuer.yamlVirtual Cluster Create the Certificate
Create a file named
certificate.yaml:Create Certificatecat <<EOF > certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: quickstart-example-tls
namespace: default
spec:
dnsNames:
- example.example.com
issuerRef:
group: cert-manager.io
kind: Issuer
name: letsencrypt-staging
secretName: quickstart-example-tls
usages:
- digital signature
- key encipherment
EOFApply Certificate in virtual clusterkubectl --context=$VCLUSTER_CTX apply -f certificate.yamltipOnce that certificate is created in the virtual cluster, the integration syncs the created secret back to the virtual cluster after the cert-manager operator creates it in the host cluster, and the certificate is ready to use.
Host Cluster Check the
ClusterIssuerCheck ClusterIssuer in host clusterkubectl --context=$HOST_CTX describe clusterissuer letsencrypt-stagingVirtual Cluster Check resources
Check Issuer and Certificate in virtual clusterkubectl --context=$VCLUSTER_CTX describe issuer letsencrypt-staging -n default
kubectl --context=$VCLUSTER_CTX describe certificate quickstart-example-tls -n default
kubectl --context=$VCLUSTER_CTX get secret quickstart-example-tls -n default
Create a certificate​
With the Issuer configured, create a certificate within the virtual cluster.
Verify the setup​
Using the certificate​
To use your certificate in an application, reference it in your Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
Troubleshooting​
Host Cluster- Verify cert-manager is running
kubectl --context=$HOST_CTX -n cert-manager get pods
- Check cert-manager logs for errors - Ensure proper RBAC permissions are configured
- Verify the integration is enabled in your vcluster configuration
- Check that secrets are syncing correctly between clusters
- Ensure your Issuer and Certificate configurations are correct
For detailed troubleshooting steps, see the cert-manager troubleshooting guide.
Config reference​
certManager required object ​
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.
- Certificates and Issuers will be synced from the virtual cluster to the host cluster.
- ClusterIssuers will be synced from the host cluster to the virtual cluster.
certManager required object ​enabled required boolean false ​
Enabled defines if this option should be enabled.
enabled required boolean false ​sync required object ​
Sync contains advanced configuration for syncing cert-manager resources.
sync required object ​toHost required object ​
toHost required object ​