Tim Van Wassenhove

Passionate geek, interested in Technology. Proud father of two

15 Mar 2021

Notes on microk8s and cert-manager

Last couple of weeks I’ve been using MicroK8s for local development.

Installing current version of cert-manager just worked by following the installation instructions:

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml

Then I enabled the ingress addon:

microk8s.enable ingress

Configuring Let’s Encrypt required some deviations from the documentation. Only resources of type ClusterIssuer and public as ingress class seem to work:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: tim@timvw.be
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: public
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: tim@timvw.be
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: public 

When using nginx as ingress class I ran into various errors:

  • challenge propagation: wrong status code ‘404’, expected ‘200’
  • certificate never becoming ‘Ready’

Here are some helpful commands:

kubectl logs -f -n cert-manager -f app=cert-manager
kubectl get ingress

Then I noticed that acme-staging-v02.api.letsencrypt.org could not be resolved by the cert-manager pods (trying to resolve from 127.0.0.1:53), thus I also enabled the dns addon and restarted the pods (by deleting them)

microk8s.enable dns
kubectl delete pod -n cert-manager -l app=cert-manager

And then all was fine. Eg: https://strava.apps.timvw.be just works :)