HOW TO: Setup A Development Kubernetes/Cert-Manager Environment


Test environment to run Kubernetes. Linux, windows or mac.

Example resources Linux:

2 CPUs

4GB of free memory

20GB of free disk space

Internet connection

Container or virtual machine manager such as: Docker, Hyperkit, Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMWare




Install a container or virtual machine manager


Install a Kubernetes environment

    2. There are multiple options for setting this up depending on your use case. Some simple options for a dev environment are “Kind” or “Minikube”. Kubeadm is argued to be the defacto deployment option for production k8s environments. A KB on how to setup a kubeadm k8s deployment can be found here.
    3. In this example, we will use Minikube.
    4. Navigate through step 3. You may continue to further steps if desired.
    5. A Container Runtime is required. You can find more information here about installing: 
    6. If using docker, you may run into a permission denied error during initializing minikube. Command to resolve:
    7. sudo usermod -aG docker $USER && newgrp docker
    8. Minikube installs its own version of Kubectl (kubenetes cli). You access kubectl commands by:minikube kubectl -- <kubectl commands>This is a bit cumbersome. To fix this, run the following:
      sudo ln -s $(which minikube) /usr/local/bin/kubectl
      This allows you to just type kubectl instead of minikube kubectl -- <kubectl commands>
    9. Confirm kubectl is installed successfully:
    10. kubectl get po -A
    11. You now have a running k8s environment using Minikube


Installation of Cert-manager

    2. Recommend a static install:
    3. kubectl apply -f
    4. Cert-manager may need a couple minutes to fully install and start the needed pods. 
    5. Manual verification
    6. kubectl get pods --namespace cert-manager
    7. If all pods are in a running state, your installation of Cert-Manager was successful. If all aren't in a running state, give it a couple minutes and run the command above once more.
    8. **special note** Cert manager creates a cert-manager namespace by default


Configure a Venafi Issuer for Cert-manager

    2. First, you must enable Token Authentication (Oauth) within Venafi. This article outlines how to setup OAuth in Postman:
    3. Once you get your access token, copy it and paste it into a secret in the Kubernetes cluster:
    4.  kubectl create secret generic tpp-secret --namespace=<namespace of your issuer resource> --from-literal=access-token=’Your_TPP_ACCESS_TOKEN’
    5. Next create your issuer file referencing your tpp server and tpp secret you just created.
    6. apiVersion:
      kind: Issuer
        name: tpp-issuer
          zone: devops\cert-manager # Set this to the Venafi policy folder you want to use
            url: https://tpp.venafi.example/vedsdk # Change this to the URL of your TPP instance
            caBundle: <base64 encoded string of caBundle PEM file, or empty to use system root CAs>
              name: tpp-secret
    7. Apply the issuer: (Must have valid Venafi Operational Certificate and reference the Root in the caBundle variable in base64 format
    8. kubectl apply -f tpp-issuer.yaml
    9. *Do you have the proper zone created in your tpp policy tree that matches your issuer zone
    10. You may receive a couple of errors when applying:
    11. Error initializing issuer: Failed to setup Venafi issuer: error pinging Venafi API: Get https://tppurl/vedsdk/: x509: certificate signed by unkown authority
    12. Error initializing issuer: Failed to setup Venafi issuer: error pinging Venafi API: Get "https://<tppurl>/vedsdk/": dial tcp: lookup <tppurl> on *IP*:53: no such host
    13. First error: your CA trust bundle must be a base64 encoded string of caBundle PEM file, or empty to use system root CAs
    14. Second error: This is because we need to setup a hosts entry in k8s hosts file CoreDNS:


Creating Certificates

    1. Save the following YAML file, make changes to the domain name as needed to create a certificate and apply it.
    2. apiVersion:
      kind: Certificate
         name: cert1.(yourDomain)
         namespace: cert-manager
        secretName: cert1.(yourDomain)
            - cert1.(yourDomain)
        commonName: cert1.(yourDomain)
          name: tpp-issuer
            kind: Issuer
    3. touch cert1.yaml
    4. sudo nano cert1.yaml (make changes to match your environment variables)
    5. kubectl apply -f cert1.yaml (This sends the cert request to your tpp issuer.)
    6. Navigate to your zone (Policy folder) on your tpp server and you should see your newly created certificate.



You now have a working Kubernetes environment with cert-manager installed. You have a functioning connection to your Venafi issuer and can successfully issue certificates through Cert-Manager



Was this article helpful?
0 out of 0 found this helpful