Certificate objects are used to declare one or more Let's Encrypt issued TLS certificates. Cetificate objects are consumed by the Kubernetes Certificate Manager.
Before you can create a Certificate object you must create the Certificate Third Party Resource in your Kubernetes cluster.
- apiVersion - The Kubernetes API version. See Certificate Third Party Resource.
- kind - The Kubernetes object type.
- metadata.name - The name of the Certificate object.
- spec.domain - The DNS domain to obtain a Let's Encrypt certificate for.
- spec.email - The email address used for a Let's Encrypt registration.
- spec.provider - The name of the dns provider plugin. See https://github.com/kelseyhightower/dns01-exec-plugins
- spec.secret - The Kubernetes secret that holds dns provider configuration.
- spec.secretKey - The Kubernetes secret key that holds the dns provider configuration data.
The following Kubernetes Certificate configuration assume the following:
- The
googlednsdns01 exec plugin is available from thekube-cert-managercontainer. - The
hightowerlabs.comdomain is registered. - The
hightowerlabs.comdomain is managed by Google Cloud DNS under thehightowerlabsGoogle Cloud project. - A Kubernetes Secret named
hightowerlabsexists with a key namedservice-account.jsonwhich holds a Google service account with permissions to manage DNS records for thehightowerlabs.comdomain.
Example Certificate Object
apiVersion: "stable.hightower.com/v1"
kind: "Certificate"
metadata:
name: "hightowerlabs-dot-com"
spec:
domain: "hightowerlabs.com"
email: "[email protected]"
provider: "googledns"
secret: "hightowerlabs"
secretKey: "service-account.json"