QuickstartPreview
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds
Create an example Installation with a self-signed issuer
Apply Installation resource:
kubectl apply -f - <<EOFapiVersion: operator.jetstack.io/v1alpha1kind: Installationmetadata:name: quickstart-examplespec:certManager: {}approverPolicy: {}images:secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstartissuers:- name: quickstart-issuerclusterScope: trueselfSigned: {}EOF
For this Installation TLS Protect for Kubernetes Operator will create:
-
cert-manager installation in jetstack-secure Namespace
-
approver-policy installation in jetstack-secure Namespace
-
a self-signed [1] cert-manager ClusterIssuer quickstart-issuer
-
a default, 'all allowed' CertificateRequestPolicy for the issuer
-
RBAC that allows cert-manager ServiceAccount to use the CertificateRequestPolicy
Wait for the Installation to become ready:
kubectl wait --for=condition=Ready installation/quickstart-example
This should not take more than a minute or a few.
Observe information about the created components and resources on Installation spec:
kubectl get installation quickstart-example -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Observe created ClusterIssuer:
kubectl get clusterissuer/quickstart-issuer -oyaml
Create a Certificate resource:
kubectl apply -f - <<EOFapiVersion: cert-manager.io/v1kind: Certificatemetadata:name: quickstart-certspec:secretName: quickstart-certdnsNames:- "example.com"issuerRef:name: quickstart-issuerkind: ClusterIssuergroup: cert-manager.ioEOF
Observe the Certificate to become ready:
kubectl get certificate/quickstart-cert
Next steps
View more detailed configuration guides:
- 1.
self-signed issuer type is not recommended to be used in production ↩