Shipmight Logo
HomeBlogDocs

Configuring Cert-Manager

Shipmight integrates with Cert-Manager for:

  • automating SSL certificates for domains

Cert-Manager is included as an optional dependency of the Shipmight stack.

How it works

Cert-Manager watches for any Kubernetes Ingresses with the annotation cert-manager.io/cluster-issuer.

Shipmight can add this annotation (along with a tls configuration) to Ingresses that are created when users create domains in Shipmight UI. Also, Shipmight UI will show the status of the SSL certificate if an issuer is linked to a domain.

Enabling Cert-Manager

To install Cert-Manager which is included in the Shipmight stack but disabled by default, set cert-manager.enabled to true:

helm upgrade shipmight shipmight/shipmight-stack \
  --cert-manager.enabled=true

In addition to enabling Cert-Manager, you must create a ClusterIssuer. Here's an example Let's Encrypt issuer (make sure to fill in your own email address):

echo "
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: acme
  labels:
    cert-manager-issuer.shipmight.com/id: acme
  annotations:
    cert-manager-issuer.shipmight.com/name: \"Let's Encrypt\"
spec:
  acme:
    email: your-email@example.com
    # A) Let's Encrypt STG server for testing:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # B) Let's Encrypt PROD server
    # server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: acme-account-key
    solvers:
    - http01:
        ingress:
          class: nginx
" | kubectl apply -f -

Some notes about the issuer:

  • Note the label cert-manager-issuer.shipmight.com/id. This label marks the issuer as discoverable by Shipmight.
  • With the optional annotation cert-manager-issuer.shipmight.com/name you can customize the issuer name if it is shown in Shipmight UI at some point.
  • For different types of issuers (e.g. wildcard issuers which require dynamic DNS configurations), see Issuer Configuration in the Cert-Manager documentation.

If a ClusterIssuer with the cert-manager-issuer.shipmight.com/id label exists in the cluster, Shipmight will automatically associate with it. No other configuration is needed.

At the time of writing, there can only be 1 issuer associated to Shipmight at a time. Support for associating more issuers is an upcoming feature. Users will be able to choose from the available issuers when creating a domain.

Disabling Cert-Manager

Follow the official documentation to uninstall Cert-Manager and related resources and CRDs. In section "Uninstalling with Helm", substitute helm --namespace cert-manager delete cert-manager with:

helm upgrade shipmight shipmight/shipmight-stack \
  --cert-manager.enabled=false
DOKSLoki

Shipmight

Home

Blog

Docs

Newsletter

Join the mailing list to get notified when a new version or new content on the website is released. Max 1 email per week.

Contact

hi@shipmight.com

@shipmight

Don’t reinvent the shipCopyright © Fine Productions Oy/Ltd