Skip to content

Instantly share code, notes, and snippets.

@jakexks

jakexks/cert-manager-test.sh

Last active September 29, 2024 17:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jakexks/c1de8238cbee247333f8c274dc0d6f0f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jakexks/c1de8238cbee247333f8c274dc0d6f0f to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. jakexks revised this gist Apr 27, 2021. 1 changed file with 7 additions and 5 deletions.
    12 changes: 7 additions & 5 deletions cert-manager-test.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,13 +1,13 @@
    #!/usr/bin/env bash
    set -e
    set -ex
    export TEST_CLUSTER_NAME=quick-test
    export CERT_MANAGER_VERSION=v1.3.1
    export KIND_IMAGE=kindest/node:v1.20.2

    # Create test cluster
    echo "Creating test cluster..."
    kind create cluster --name="$TEST_CLUSTER_NAME" --image="$KIND_IMAGE"
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-system
    until kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-system; do sleep 1; done

    # Install cert-manager
    echo "Installing cert-manager..."
    @@ -21,16 +21,18 @@ helm install \
    --set installCRDs=true

    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace cert-manager

    # Create self signed cluster issuer:
    echo "Creating self-signed cluster-issuer..."
    cat <<EOYAML | kubectl apply -f -
    until cat <<EOYAML | kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
    name: selfsigned-cluster-issuer
    spec:
    selfSigned: {}
    EOYAML
    do sleep 1; done
    kubectl --timeout=10s wait --for=condition=Ready clusterissuers.cert-manager.io selfsigned-cluster-issuer

    # Create CA certificate. If you want to use it as a ClusterIssuer the secret must be in the cert-manager namespace:
    @@ -86,7 +88,7 @@ spec:
    backend:
    service:
    name: myservice
    port:
    port:
    number: 80
    tls:
    - hosts:
    @@ -108,4 +110,4 @@ diff issuer.crt ca.crt && echo "Issuing CA matches Ingress CA" || echo "Issuing
    openssl verify -CAfile issuer.crt tls.crt

    rm ./*.crt ./*.key
    kind delete cluster --name "$TEST_CLUSTER_NAME"
    kind delete cluster --name "$TEST_CLUSTER_NAME"
  2. jakexks revised this gist Apr 27, 2021. 1 changed file with 9 additions and 2 deletions.
    11 changes: 9 additions & 2 deletions cert-manager-test.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -11,9 +11,16 @@ kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-sy

    # Install cert-manager
    echo "Installing cert-manager..."
    kubectl apply -f "https://github.com/jetstack/cert-manager/releases/download/$CERT_MANAGER_VERSION/cert-manager.yaml"
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace cert-manager
    helm repo add jetstack-test https://charts-test.jetstack.io
    helm repo update
    helm install \
    cert-manager jetstack-test/cert-manager \
    --namespace cert-manager \
    --create-namespace \
    --version v1.3.1 \
    --set installCRDs=true

    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace cert-manager
    # Create self signed cluster issuer:
    echo "Creating self-signed cluster-issuer..."
    cat <<EOYAML | kubectl apply -f -
  3. jakexks revised this gist Apr 14, 2021. 1 changed file with 4 additions and 3 deletions.
    7 changes: 4 additions & 3 deletions cert-manager-test.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,11 +1,12 @@
    #!/usr/bin/env bash
    set -e
    export TEST_CLUSTER_NAME=selfsigned-to-ca
    export CERT_MANAGER_VERSION=v1.3.0
    export TEST_CLUSTER_NAME=quick-test
    export CERT_MANAGER_VERSION=v1.3.1
    export KIND_IMAGE=kindest/node:v1.20.2

    # Create test cluster
    echo "Creating test cluster..."
    kind create cluster --name="$TEST_CLUSTER_NAME"
    kind create cluster --name="$TEST_CLUSTER_NAME" --image="$KIND_IMAGE"
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-system

    # Install cert-manager
  4. jakexks revised this gist Apr 14, 2021. 1 changed file with 6 additions and 2 deletions.
    8 changes: 6 additions & 2 deletions cert-manager-test.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,15 +1,16 @@
    #!/usr/bin/env bash
    set -e
    export TEST_CLUSTER_NAME=selfsigned-to-ca
    export CERT_MANAGER_VERSION=v1.3.0

    # Create test cluster
    echo "Creating test cluster..."
    export TEST_CLUSTER_NAME=selfsigned-to-ca
    kind create cluster --name="$TEST_CLUSTER_NAME"
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-system

    # Install cert-manager
    echo "Installing cert-manager..."
    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
    kubectl apply -f "https://github.com/jetstack/cert-manager/releases/download/$CERT_MANAGER_VERSION/cert-manager.yaml"
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace cert-manager

    # Create self signed cluster issuer:
    @@ -97,3 +98,6 @@ kubectl get secrets -n cert-manager test-ca -o json | jq -r '.data["tls.crt"]' |
    diff issuer.crt ca.crt && echo "Issuing CA matches Ingress CA" || echo "Issuing CA doesn't match Ingress CA"

    openssl verify -CAfile issuer.crt tls.crt

    rm ./*.crt ./*.key
    kind delete cluster --name "$TEST_CLUSTER_NAME"
  5. jakexks created this gist Apr 14, 2021.
    99 changes: 99 additions & 0 deletions cert-manager-test.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,99 @@
    #!/usr/bin/env bash
    set -e

    # Create test cluster
    echo "Creating test cluster..."
    export TEST_CLUSTER_NAME=selfsigned-to-ca
    kind create cluster --name="$TEST_CLUSTER_NAME"
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace kube-system

    # Install cert-manager
    echo "Installing cert-manager..."
    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
    kubectl --timeout=120s wait --for=condition=Ready pods --all --namespace cert-manager

    # Create self signed cluster issuer:
    echo "Creating self-signed cluster-issuer..."
    cat <<EOYAML | kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
    name: selfsigned-cluster-issuer
    spec:
    selfSigned: {}
    EOYAML
    kubectl --timeout=10s wait --for=condition=Ready clusterissuers.cert-manager.io selfsigned-cluster-issuer

    # Create CA certificate. If you want to use it as a ClusterIssuer the secret must be in the cert-manager namespace:
    echo "Creating self-signed certificate..."
    cat <<EOYAML | kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
    name: test-ca
    namespace: cert-manager
    spec:
    isCA: true
    commonName: test-ca
    secretName: test-ca
    issuerRef:
    name: selfsigned-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io
    EOYAML
    kubectl --timeout=10s -n cert-manager wait --for=condition=Ready certificates.cert-manager.io test-ca

    # Create clusterissuer
    echo "Creating CA cluster issuer..."
    cat <<EOYAML | kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
    name: test-ca-cluster-issuer
    spec:
    ca:
    secretName: test-ca
    EOYAML
    kubectl --timeout=10s wait --for=condition=Ready clusterissuers.cert-manager.io test-ca-cluster-issuer

    # Create Ingress in a different namespace that should use the new cluster issuer
    echo "Creating ingress in namespace ingress-test..."
    kubectl create ns ingress-test
    cat <<EOYAML | kubectl apply -f -
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
    annotations:
    cert-manager.io/cluster-issuer: test-ca-cluster-issuer
    name: test-ingress
    namespace: ingress-test
    spec:
    rules:
    - host: example.com
    http:
    paths:
    - pathType: Prefix
    path: /
    backend:
    service:
    name: myservice
    port:
    number: 80
    tls:
    - hosts:
    - example.com
    secretName: myingress-cert
    EOYAML
    kubectl --timeout=10s -n ingress-test wait --for=condition=Ready certificates.cert-manager.io myingress-cert

    # Extract CA, cert, key
    kubectl get secret -n ingress-test myingress-cert -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
    kubectl get secret -n ingress-test myingress-cert -o json | jq -r '.data["tls.crt"]' | base64 -d > tls.crt
    kubectl get secret -n ingress-test myingress-cert -o json | jq -r '.data["tls.key"]' | base64 -d > tls.key

    # Extract cluster issuer CA
    kubectl get secrets -n cert-manager test-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > issuer.crt

    diff issuer.crt ca.crt && echo "Issuing CA matches Ingress CA" || echo "Issuing CA doesn't match Ingress CA"

    openssl verify -CAfile issuer.crt tls.crt