Cert-Manager on GKE

# Cert-Manager on GKE ###### tags: `kubernetes` `GKE` ## Install before : [Install Helm](https://hackmd.io/4D34NOlfS4GMqHTTSon54g) Use Helm Chart : https://github.com/helm/charts/tree/master/stable/cert-manager#installing-the-chart Using DNS validation : Create a service account "clouddns" with access "DNS Administrator" privilege Set the service account in a secret (cert-amanger namespaces ) : ``` kubectl create secret generic clouddns-service-account --from-file=service-account.json=clouddns-svc-account.json -n cert-manager ``` clouddns-service-account : secret name service-account.json : key name in the secret clouddns-svc-account.json : your svc account file generated from Gcloud Console. You should see this : ``` $ k ksd get secret clouddns-service-account -o yaml -n cert-manager apiVersion: v1 kind: Secret metadata: creationTimestamp: "2019-09-20T13:29:24Z" name: clouddns-service-account namespace: cert-manager resourceVersion: "259985" selfLink: /api/v1/namespaces/cert-manager/secrets/clouddns-service-account uid: xxxxxx stringData: service-account.json: | { "type": "service_account", "project_id": "project-ID", "private_key_id": "xxxxxxx", "private_key": "xxxxxx", "client_email": "clouddns@projectID.iam.gserviceaccount.com", "client_id": "xxxxxxxx", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "...." } type: Opaque ``` Aftrer apply clusterIssuer & certificate ``` $ k logs -n cert-manager -l app=cert-manager -c cert-manager I0920 13:46:48.377417 1 dns.go:118] DNS record for "gac.idzhq.com" not yet propagated I0920 13:46:48.377762 1 controller.go:211] challenges controller: Finished processing work item "istio-system/demo-certificate-451903720-0" I0920 13:46:58.344961 1 controller.go:205] challenges controller: syncing item 'istio-system/demo-certificate-451903720-0' I0920 13:46:58.345373 1 dns.go:110] Checking DNS propagation for "gac.idzhq.com" using name servers: [10.0.16.10:53] I0920 13:46:58.348218 1 wait.go:70] Updating FQDN: _acme-challenge.gac.idzhq.com. with it's CNAME: gac.idzhq.com. I0920 13:46:58.360910 1 dns.go:118] DNS record for "gac.idzhq.com" not yet propagated I0920 13:46:58.361158 1 controller.go:211] challenges controller: Finished processing work item "istio-system/demo-certificate-451903720-0" I0920 13:46:59.770598 1 controller.go:205] challenges controller: syncing item 'istio-system/demo-certificate-1432344989-0' E0920 13:46:59.770640 1 controller.go:229] ch 'istio-system/demo-certificate-1432344989-0' in work queue no longer exists I0920 13:46:59.770648 1 controller.go:211] challenges controller: Finished processing work item "istio-system/demo-certificate-1432344989-0" ```