Certifcate Manager
This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.
Cert manager integration
This guide shows how to set up cert-manager integration with your virtual cluster.
Prerequisites​
-
Administrator access to a Kubernetes cluster: See Accessing Clusters with kubectl for more information. Your current kube-context must have administrative privileges, which you can verify with
kubectl auth can-i create clusterrole -A
infoTo obtain a kube-context with admin access, ensure you have the necessary credentials and permissions for your Kubernetes cluster. This typically involves using
kubectl config
commands or authenticating through your cloud provider's CLI tools. -
helm
installed: Helm v3.10 is required for deploying the platform. Refer to the Helm Installation Guide if you need to install it. -
kubectl
installed: Kubernetes command-line tool for interacting with the cluster. See Install and Set Up kubectl for installation instructions.
cert-manager
operator installed on your host cluster, see cert-manager installation guide.
Enable the integration​
Enable the cert-manager integration in your virtual cluster configuration:
integrations:
certManager:
enabled: true
This configuration:
- Enables the integration.
- Imports cluster-scoped
ClusterIssuers
from your host cluster into the virtual cluster. - Exports namespaced Issuers and Certificates from the virtual cluster to the host cluster.
Create or update a virtual Cluster
following the vCluster quick start
guide.
Set up cluster contexts​
Setting up the host and virtual cluster contexts makes it easier to switch between them.
export HOST_CTX="your-host-context"
export VCLUSTER_CTX="vcluster-ctx"
You can find your contexts by running kubectl config get-contexts
Setup the integration​
If you don't have cert-manager configured yet, follow these steps:
Virtual Cluster Create the
ClusterIssuer
.tipThis should create a corresponding Issuer in the host cluster.
Create a file named
issuer.yaml
:Create ClusterIssuercat <<EOF > issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Replace this email address with your own
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- http01:
ingress:
ingressClassName: nginx
EOFApply to the host cluster:
Apply ClusterIssuer to host clusterkubectl --context=$HOST_CTX apply -f issuer.yaml
Virtual Cluster Create the Certificate
Create a file named
certificate.yaml
:Create Certificatecat <<EOF > certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: quickstart-example-tls
namespace: default
spec:
dnsNames:
- example.example.com
issuerRef:
group: cert-manager.io
kind: Issuer
name: letsencrypt-staging
secretName: quickstart-example-tls
usages:
- digital signature
- key encipherment
EOFApply Certificate in virtual clusterkubectl --context=$VCLUSTER_CTX apply -f certificate.yaml
tipOnce that certificate is created in the virtual cluster, the integration syncs the created secret back to the virtual cluster after the cert-manager operator creates it in the host cluster, and the certificate is ready to use.
Host Cluster Check the
ClusterIssuer
Check ClusterIssuer in host clusterkubectl --context=$HOST_CTX describe clusterissuer letsencrypt-staging
Virtual Cluster Check resources
Check Issuer and Certificate in virtual clusterkubectl --context=$VCLUSTER_CTX describe issuer letsencrypt-staging -n default
kubectl --context=$VCLUSTER_CTX describe certificate quickstart-example-tls -n default
kubectl --context=$VCLUSTER_CTX get secret quickstart-example-tls -n default
Create a certificate​
With the ClusterIssuers
configured, create a certificate within the virtual cluster.
Verify the setup​
Using the certificate​
To use your certificate in an application, reference it in your Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
Troubleshooting​
Host Cluster- Verify cert-manager is running
kubectl --context=$HOST_CTX -n cert-manager get pods
- Check cert-manager logs for errors - Ensure proper RBAC permissions are configured
- Verify the integration is enabled in your vcluster configuration
- Check that secrets are syncing correctly between clusters
- Ensure your Issuer and Certificate configurations are correct
For detailed troubleshooting steps, see the cert-manager troubleshooting guide.
Config reference​
certManager
required object pro​
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.
- Certificates and Issuers will be synced from the virtual cluster to the host cluster.
- ClusterIssuers will be synced from the host cluster to the virtual cluster.
certManager
required object pro​enabled
required boolean false pro​
Enabled defines if this option should be enabled.
enabled
required boolean false pro​sync
required object pro​
Sync contains advanced configuration for syncing cert-manager resources.
sync
required object pro​toHost
required object pro​
toHost
required object pro​