I have read Helm chart to use secrets from cert-manager, but the answer eludes me...

Does

... write the YAML for the Certificate in the same chart, typically in its own file.

just mean that I create a file inside my helm chart templates folder with the name "Certificate.yaml" with the yaml and helm autodiscovers it?

values.yaml:

replicaCount: 1
image: repository: nginx pullPolicy: IfNotPresent tag: ""
imagePullSecrets: []
nameOverride: "sample-app"
fullnameOverride: "sampleapp-chart"
serviceAccount: create: true annotations: {} name: "sampleappacc"
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
service: type: NodePort port: 80
ingress: enabled: true className: "traefik-internal" annotations: traefik-internal "true" default-redirect-https@kubernetescrd hosts: - host: sample.k8s.tld paths: - path: / pathType: ImplementationSpecific tls: - secretName: sample-tls hosts: - sample.k8s.tld
resources: {}
autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

Certificate.yaml

apiVersion:
kind: Certificate
metadata: name: {{ (index .Values.ingress.tls 0).secretName }} namespace: default
spec: # Secret names are always required. secretName: {{ (index .Values.ingress.tls 0).secretName }} duration: 2160h # 90d renewBefore: 360h # 15d subject: organizations: - myorg commonName: {{ (index .Values.ingress.hosts 0).host }} isCA: false privateKey: algorithm: RSA encoding: PKCS1 size: 4096 usages: - server auth - client auth # At least one of a DNS Name, URI, or IP address is required. dnsNames: - {{ (index .Values.ingress.hosts 0).host }} issuerRef: name: letsencrypt-prod kind: ClusterIssuer group: cert-manager.io

How do I tell helm to read this file?

Running kubectl get certificate results in No resources found in default namespace.
Running kubectl get certificate -A shows some certificates, but not the one I am expecting. Running kubectl get secret shows me only a secret named sh.helm.release.v1.sampleapp-chart.v1 not sample-tls

Update

I found a warning entitled "BadConfig" from cert-manager-ingress-shim with an issue regarding the Issuer. Since I do have the issuer defined in the Certificate.yaml I assume that cert-manager is trying to guess the details from the bare configuration?

1 Answer

adding the annotation

 letsencrypt-prod

and removing the Certificate.yaml worked.

See the cert-manager documentation regarding ingress for more information on why it works.

values.yaml:

replicaCount: 1
image: repository: nginx pullPolicy: IfNotPresent tag: ""
imagePullSecrets: []
nameOverride: "sample-app"
fullnameOverride: "sampleapp-chart"
serviceAccount: create: true annotations: {} name: "sampleappacc"
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
service: type: NodePort port: 80
ingress: enabled: true className: "traefik" annotations: traefik "true" letsencrypt-prodhttps@kubernetescrd hosts: - host: sample.k8s.tld paths: - path: / pathType: Prefix tls: - secretName: sample-tls hosts: - sample.k8s.tld
resources: {}
autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.