2

I've previously used LetsEncrypt for the purpose but need to explore the possibility of using AWS ACM-PCA to issue certificates through cert-manager. For clarity, the setup with LE is/was fully functional and I've confirmed that the PCA itself works fine.

I've installed the AWS-PrivateCA-Issuer helm chart and the resources (and CRDs) have appeared as expected. I've created a ClusterIssuer as per this example YAML too - so far so good, the issuer shows itself as verified.

What I'm struggling with is annotating my ingresses properly to cause cert-manager to request and attach a certificate. I've added these annotations somewhat naively from what I've found in documentation:

cert-manager.io/issuer-kind: AWSPCAClusterIssuer
cert-manager.io/issuer-group: awspca.cert-manager.io

I wouldn't be at all surprised, however, if there's more that I've missed. As things stand, the secret specified in the ingress config simply doesn't get created.

I haven't found any examples online of how exactly to do this, can anyone provide some or point me in the right direction? Thanks.

user1381745
  • 3,850
  • 2
  • 21
  • 35

1 Answers1

4

You're pretty close. You need the following annotations on your ingress:

cert-manager.io/issuer: <name of your issuer>
cert-manager.io/issuer-kind: AWSPCAClusterIssuer
cert-manager.io/issuer-group: awspca.cert-manager.io
cert-manager.io/common-name: <common name for the certificate>

Here's a POC ingress that I've successfully deployed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: acm-pca-demo-ingress
  namespace: acm-pca-lab-demo
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: exampleca
    cert-manager.io/issuer-kind: AWSPCAClusterIssuer
    cert-manager.io/issuer-group: awspca.cert-manager.io
    cert-manager.io/common-name: test.example.local
spec:
  tls:
    - hosts:
        - test.example.local
      secretName: test-example-local-cert
  rules:
    - host: test.example.local
      http:
        paths:
          - path: /
            pathType: Exact
            backend:
              service:
                name: hello-world
                port:
                  number: 80

Note: The values specified under spec.tls[*].hosts are added to the certificate as the SAN (Subject Alternative Names) field.

Andy Bohne
  • 41
  • 2