Verifying the Installation
Once you've installed cert-manager, you can verify it is deployed correctly by
checking the cert-manager
namespace for running pods:
$ kubectl get pods --namespace cert-managerNAME READY STATUS RESTARTS AGEcert-manager-5c6866597-zw7kh 1/1 Running 0 2mcert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2mcert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m
You should see the cert-manager
, cert-manager-cainjector
, and
cert-manager-webhook
pods in a Running
state. The webhook might take a
little longer to successfully provision than the others.
If you experience problems, first check the FAQ.
The following steps will confirm that cert-manager is set up correctly and able to issue basic certificate types. Alternatively, to automatically check if cert-manager is correctly configured, you can run the community-maintained cert-manager-verifier tool.
Create an Issuer
to test the webhook works okay.
$ cat <<EOF > test-resources.yamlapiVersion: v1kind: Namespacemetadata:name: cert-manager-test---apiVersion: cert-manager.io/v1kind: Issuermetadata:name: test-selfsignednamespace: cert-manager-testspec:selfSigned: {}---apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: selfsigned-certnamespace: cert-manager-testspec:dnsNames:- example.comsecretName: selfsigned-cert-tlsissuerRef:name: test-selfsignedEOF
Create the test resources.
$ kubectl apply -f test-resources.yaml
Check the status of the newly created certificate. You may need to wait a few seconds before cert-manager processes the certificate request.
$ kubectl describe certificate -n cert-manager-test...Spec:Common Name: example.comIssuer Ref:Name: test-selfsignedSecret Name: selfsigned-cert-tlsStatus:Conditions:Last Transition Time: 2019-01-29T17:34:30ZMessage: Certificate is up to date and has not expiredReason: ReadyStatus: TrueType: ReadyNot After: 2019-04-29T17:34:29ZEvents:Type Reason Age From Message---- ------ ---- ---- -------Normal CertIssued 4s cert-manager Certificate issued successfully
Clean up the test resources.
$ kubectl delete -f test-resources.yaml
If all the above steps have completed without error, you're good to go!
Configuring your first Issuer
Before you can begin issuing certificates, you must configure at least one
Issuer
or ClusterIssuer
resource in your cluster.
You should read the configuration guide to learn how to configure cert-manager to issue certificates from one of the supported backends.