Skip to content

Certificate Manager Add-on

This add-on installs cert-manager.

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. Add-on can issue certificates from a variety of supported sources, including Let's Encrypt, HashiCorp Vault, and Venafi as well as private PKI. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.

Usage

import * as cdk from 'aws-cdk-lib';
import * as blueprints from '@aws-quickstart/eks-blueprints';

const app = new cdk.App();

const addOn = new blueprints.addons.CertManagerAddOn()

const blueprint = blueprints.EksBlueprint.builder()
  .version("auto")
  .addOns(addOn)
  .build(app, 'my-stack-name');

Configuration Options

  • installCRDs: (boolean) To automatically install and manage the CRDs as part of your Helm release,
  • createNamespace: (boolean) If you want CDK to create the namespace for you
  • values: Arbitrary values to pass to the chart. Refer to the cert-manager Helm Chart documentation for additional details. It also supports all standard helm configuration options ( for Eg: https://github.com/aws-quickstart/cdk-eks-blueprints/blob/main/docs/addons/index.md#standard-helm-add-on-configuration-options)

cert-manager compatibility with EKS and Fargate

Please refer to the cert-manager compatibility and open issues with EKS and Fargate [cert-manager compatibility with EKS](https://cert-manager.io/docs/installation/compatibility/#aws-eks_

Validation

To validate that cert-manager is installed properly in the cluster, check if the namespace is created and cert-manger pods are running.

Verify if the namespace is created correctly 

  kubectl get ns | grep "cert-manager"
There should be list the cert-manager namespace 
cert-manager      Active   31m
Verify if the pods are running correctly in cert-manager namespace 
  kubectl get pods -n cert-manager
There should list 3 pods starting with name cert-manager- For Eg: 
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-5bb7949947-vxf76             1/1     Running   0          2m56s
cert-manager-cainjector-5ff98c66d-g4kpv   1/1     Running   0          2m56s
cert-manager-webhook-fb48856b5-bpsbl      1/1     Running   0          2m56s

Testing

Cert-Manager Kubectl Plugin Cert-Manager has a Kubectl plugin that simplifies some common management tasks. It also lets you check whether Cert-Manager is up and ready to serve requests.

Install Cert-Manager Kubectl Plugin 

  curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
  tar xzf kubectl-cert-manager.tar.gz
  sudo mv kubectl-cert_manager /usr/local/bin

Run the follwing command to check if the plugin was correctly installed: 

  kubectl cert-manager check api
This should print following message "The cert-manager API is ready"